Abstract
We present Security Relaxed Separation Logic (SecRSL), a separation logic for proving information-flow security of C11 programs in the Release-Acquire fragment with relaxed accesses. SecRSL is the first security logic that (1) supports weak-memory reasoning about programs in a high-level language; (2) inherits separation logic’s virtues of compositional, local reasoning about (3) expressive security policies like value-dependent classification.
SecRSL is also, to our knowledge, the first security logic developed over an axiomatic memory model. Thus we also present the first definitions of information-flow security for an axiomatic weak memory model, against which we prove SecRSL sound. SecRSL ensures that programs satisfy a constant-time security guarantee, while being free of undefined behaviour.
We apply SecRSL to implement and verify the functional correctness and constant-time security of a range of concurrency primitives, including a spinlock module, a mixed-sensitivity mutex, and multiple synchronous channel implementations. Empirical performance evaluations of the latter demonstrate SecRSL’s power to support the development of secure and performant concurrent C programs.
Supplemental Material
- Jade Alglave, Anthony Fox, Samin Ishtiaq, Magnus O Myreen, Susmit Sarkar, Peter Sewell, and Francesco Zappa Nardelli. 2009. The semantics of Power and ARM multiprocessor machine code. In Proceedings of the 4th workshop on Declarative aspects of multicore programming. 13–24.Google Scholar
Digital Library
- PG Allen. 1991. A comparison of non-interference and non-deducibility using CSP. In IEEE Computer Security Foundations Workshop (CSFW). 43–54.Google Scholar
Cross Ref
- Paolo Baldan and Alessandro Beggiato. 2018. Multilevel transitive and intransitive non-interference, causally. Theoretical Computer Science, 706 (2018), 54–82.Google Scholar
Cross Ref
- Paolo Baldan and Alberto Carraro. 2014. Non-interference by unfolding. In International Conference on Applications and Theory of Petri Nets and Concurrency. 190–209.Google Scholar
Cross Ref
- Gilles Barthe, Sandrine Blazy, Benjamin Grégoire, Rémi Hutin, Vincent Laporte, David Pichardie, and Alix Trieu. 2019. Formal verification of a constant-time preserving C compiler. Proceedings of the ACM on Programming Languages, 4, POPL (2019), 1–30.Google Scholar
- Gilles Barthe, Thomas Espitau, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub. 2017. Proving expected sensitivity of probabilistic programs. Proceedings of the ACM on Programming Languages, 2, POPL (2017), 1–29.Google Scholar
- Mark Batty, Alastair F Donaldson, and John Wickerson. 2016. Overhauling SC atomics in C11 and OpenCL. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 634–648.Google Scholar
Digital Library
- Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, and Tjark Weber. 2011. Mathematizing C++ concurrency. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 55–66.Google Scholar
Digital Library
- Mark John Batty. 2014. The C11 and C++11 Concurrency Model. Ph.D. Dissertation. University of Cambridge.Google Scholar
- Nick Benton. 2004. Simple relational correctness proofs for static analyses and program transformations. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 14–25.Google Scholar
Digital Library
- Marko Doko and Viktor Vafeiadis. 2016. A program logic for C11 memory fences. In International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI). 413–430.Google Scholar
Digital Library
- Marko Doko and Viktor Vafeiadis. 2017. Tackling real-life relaxed concurrency with FSL++. In European Symposium on Programming (ESOP). 448–475.Google Scholar
Cross Ref
- Gidon Ernst and Toby Murray. 2019. SecCSL: Security Concurrent Separation Logic. In International Conference on Computer Aided Verification (CAV). 208–230.Google Scholar
- Cormac Flanagan, Amr Sabry, Bruce F Duba, and Matthias Felleisen. 1993. The essence of compiling with continuations. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 237–247.Google Scholar
Digital Library
- Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2021. Compositional Non-Interference for Fine-Grained Concurrent Programs. In IEEE Symposium on Security & Privacy (S&P). To appear.Google Scholar
- Joseph Goguen and José Meseguer. 1982. Security Policies and Security Models. In IEEE Symposium on Security & Privacy (S&P). IEEE Computer Society, Oakland, California, USA. 11–20.Google Scholar
- Kohei Honda, Vasco Vasconcelos, and Nobuko Yoshida. 2000. Secure information flow as typed process behaviour. In European Symposium on Programming (ESOP). 180–199.Google Scholar
Cross Ref
- Aleksandr Karbyshev, Kasper Svendsen, Aslan Askarov, and Lars Birkedal. 2018. Compositional Non-Interference for Concurrent Programs via Separation and Framing. In International Conference on Principles of Security and Trust (POST).Google Scholar
Cross Ref
- Luísa Lourenço and Luís Caires. 2015. Dependent Information Flow Types. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). Mumbai, India. 317–328.Google Scholar
- Sela Mador-Haim, Luc Maranget, Susmit Sarkar, Kayvan Memarian, Jade Alglave, Scott Owens, Rajeev Alur, Milo MK Martin, Peter Sewell, and Derek Williams. 2012. An axiomatic memory model for POWER multiprocessors. In International Conference on Computer Aided Verification (CAV). 495–512.Google Scholar
Digital Library
- Kenji Maillard, Cătălin Hriţcu, Exequiel Rivas, and Antoine Van Muylder. 2019. The next 700 relational program logics. Proceedings of the ACM on Programming Languages, 4, POPL (2019), 1–33.Google Scholar
- Jeremy Manson, William Pugh, and Sarita V Adve. 2005. The Java memory model. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 378–391.Google Scholar
Digital Library
- Heiko Mantel, Matthias Perner, and Jens Sauer. 2014. Noninterference under weak memory models. In IEEE Computer Security Foundations Symposium (CSF). 80–94.Google Scholar
Digital Library
- Toby Murray and Gavin Lowe. 2009. On Refinement-Closed Security Properties and Nondeterministic Compositions. In International Workshop on Automated Verification of Critical Systems (Electronic Notes in Theoretical Computer Science, Vol. 250). 49–68. https://doi.org/10.1016/j.entcs.2009.08.017 Google Scholar
Digital Library
- Toby Murray and Gavin Lowe. 2010. Analysing the Information Flow Properties of Object-Capability Patterns. In Formal Aspects of Security and Trust (Lecture Notes in Computer Science, Vol. 5983). Eindhoven, The Netherlands. 81–95. https://doi.org/10.1007/978-3-642-12459-4_7 Google Scholar
Digital Library
- Toby Murray, Robert Sison, and Kai Engelhardt. 2018. COVERN: A Logic for Compositional Verification of Information Flow Control. In IEEE European Symposium on Security and Privacy (EuroS&P). London, United Kingdom.Google Scholar
- Toby Murray, Robert Sison, Edward Pierzchalski, and Christine Rizkallah. 2016. Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference. In IEEE Computer Security Foundations Symposium (CSF). 417–431.Google Scholar
- Peter W O’Hearn. 2004. Resources, concurrency and local reasoning. In International Conference on Concurrency Theory (CONCUR). 49–67.Google Scholar
- AW Roscoe, JCP Woodcock, and Lars Wulf. 1994. Non-interference through determinism. In European Symposium on Research in Computer Security (ESORICS). 31–53.Google Scholar
Cross Ref
- A William Roscoe. 1995. CSP and determinism in security modelling. In IEEE Symposium on Security & Privacy (S&P). 114–127.Google Scholar
Cross Ref
- Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott Owens, Tom Ridge, Thomas Braibant, Magnus O Myreen, and Jade Alglave. 2009. The semantics of x86-CC multiprocessor machine code. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).Google Scholar
Digital Library
- Daniel Schoepe, Toby Murray, and Andrei Sabelfeld. 2020. VERONICA: Expressive and Precise Concurrent Information Flow Security. In IEEE Computer Security Foundations Symposium (CSF). 79–94.Google Scholar
- Robert Sison and Toby Murray. 2019. Verifying That a Compiler Preserves Concurrent Value-Dependent Information-Flow Security. In International Conference on Interactive Theorem Proving (ITP). 27:1–27:19.Google Scholar
- Graeme Smith, Nicholas Coughlin, and Toby Murray. 2019. Value-Dependent Information-Flow Security on Weak Memory Models. In International Symposium on Formal Methods (FM). 539–555.Google Scholar
- Tachio Terauchi. 2008. A type system for observational determinism. In IEEE Computer Security Foundations Symposium (CSF). 287–300.Google Scholar
Digital Library
- Viktor Vafeiadis. 2011. Concurrent Separation Logic and Operational Semantics. In Mathematical Foundations of Programming Semantics (MFPS). 335–351.Google Scholar
- Viktor Vafeiadis and Chinmay Narayan. 2013. Relaxed separation logic: A program logic for C11 concurrency. In Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). 867–884.Google Scholar
Digital Library
- Jeffrey A Vaughan and Todd Millstein. 2012. Secure information flow for concurrent programs under Total Store Order. In IEEE Computer Security Foundations Symposium (CSF). 19–29.Google Scholar
Digital Library
- Jaroslav Ševčík and Peter Sewell. 2016. C/C++11 mappings to processors. https://www.cl.cam.ac.uk/ pes20/cpp/cpp0xmappings.htmlGoogle Scholar
- Pengbo Yan. 2021. SecRSL: Security Separation Logic for C11 Release-Acquire Concurrency - Coq Formalisation. https://doi.org/10.5281/zenodo.5493554 Google Scholar
Digital Library
- Pengbo Yan and Toby Murray. 2021. SecRSL: Security Separation Logic for C11 Release-Acquire Concurrency (Extended version with technical appendices). arxiv:2109.03602.Google Scholar
- Hongseok Yang. 2007. Relational separation logic. Theoretical Computer Science, 375, 1-3 (2007), 308–334.Google Scholar
Digital Library
- Steve Zdancewic and Andrew C Myers. 2003. Observational determinism for concurrent program security. In IEEE Computer Security Foundations Workshop (CSFW). 29–43.Google Scholar
Cross Ref
Index Terms
SecRSL: security separation logic for C11 release-acquire concurrency
Recommendations
Interactive proofs in higher-order concurrent separation logic
POPL '17When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWhen using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Two-Variable Separation Logic and Its Inner Circle
Separation logic is a well-known assertion language for Hoare-style proof systems. We show that first-order separation logic with a unique record field restricted to two quantified variables and no program variables is undecidable. This is among the ...






Comments