skip to main content

SecRSL: security separation logic for C11 release-acquire concurrency

Published:15 October 2021Publication History
Skip Abstract Section

Abstract

We present Security Relaxed Separation Logic (SecRSL), a separation logic for proving information-flow security of C11 programs in the Release-Acquire fragment with relaxed accesses. SecRSL is the first security logic that (1) supports weak-memory reasoning about programs in a high-level language; (2) inherits separation logic’s virtues of compositional, local reasoning about (3) expressive security policies like value-dependent classification.

SecRSL is also, to our knowledge, the first security logic developed over an axiomatic memory model. Thus we also present the first definitions of information-flow security for an axiomatic weak memory model, against which we prove SecRSL sound. SecRSL ensures that programs satisfy a constant-time security guarantee, while being free of undefined behaviour.

We apply SecRSL to implement and verify the functional correctness and constant-time security of a range of concurrency primitives, including a spinlock module, a mixed-sensitivity mutex, and multiple synchronous channel implementations. Empirical performance evaluations of the latter demonstrate SecRSL’s power to support the development of secure and performant concurrent C programs.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a presentation video of my talk at OOPSLA 2021 on our paper accepted in the research track. We present Security Relaxed Separation Logic (SecRSL), a separation logic for proving information-flow security of C11 programs in the Release-Acquire fragment with relaxed accesses. SecRSL is also the first security logic developed over an axiomatic memory model. Thus we also present the first definitions of information-flow security for an axiomatic weak memory model, against which we prove SecRSL sound. We apply SecRSL to implement and verify the functional correctness and constant-time security of a range of concurrency primitives, including multiple synchronous channel implementations. Empirical performance evaluations of the latter demonstrate SecRSL’s power to support the development of secure and performant concurrent C programs.

References

  1. Jade Alglave, Anthony Fox, Samin Ishtiaq, Magnus O Myreen, Susmit Sarkar, Peter Sewell, and Francesco Zappa Nardelli. 2009. The semantics of Power and ARM multiprocessor machine code. In Proceedings of the 4th workshop on Declarative aspects of multicore programming. 13–24.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. PG Allen. 1991. A comparison of non-interference and non-deducibility using CSP. In IEEE Computer Security Foundations Workshop (CSFW). 43–54.Google ScholarGoogle ScholarCross RefCross Ref
  3. Paolo Baldan and Alessandro Beggiato. 2018. Multilevel transitive and intransitive non-interference, causally. Theoretical Computer Science, 706 (2018), 54–82.Google ScholarGoogle ScholarCross RefCross Ref
  4. Paolo Baldan and Alberto Carraro. 2014. Non-interference by unfolding. In International Conference on Applications and Theory of Petri Nets and Concurrency. 190–209.Google ScholarGoogle ScholarCross RefCross Ref
  5. Gilles Barthe, Sandrine Blazy, Benjamin Grégoire, Rémi Hutin, Vincent Laporte, David Pichardie, and Alix Trieu. 2019. Formal verification of a constant-time preserving C compiler. Proceedings of the ACM on Programming Languages, 4, POPL (2019), 1–30.Google ScholarGoogle Scholar
  6. Gilles Barthe, Thomas Espitau, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub. 2017. Proving expected sensitivity of probabilistic programs. Proceedings of the ACM on Programming Languages, 2, POPL (2017), 1–29.Google ScholarGoogle Scholar
  7. Mark Batty, Alastair F Donaldson, and John Wickerson. 2016. Overhauling SC atomics in C11 and OpenCL. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 634–648.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, and Tjark Weber. 2011. Mathematizing C++ concurrency. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 55–66.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Mark John Batty. 2014. The C11 and C++11 Concurrency Model. Ph.D. Dissertation. University of Cambridge.Google ScholarGoogle Scholar
  10. Nick Benton. 2004. Simple relational correctness proofs for static analyses and program transformations. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 14–25.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Marko Doko and Viktor Vafeiadis. 2016. A program logic for C11 memory fences. In International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI). 413–430.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Marko Doko and Viktor Vafeiadis. 2017. Tackling real-life relaxed concurrency with FSL++. In European Symposium on Programming (ESOP). 448–475.Google ScholarGoogle ScholarCross RefCross Ref
  13. Gidon Ernst and Toby Murray. 2019. SecCSL: Security Concurrent Separation Logic. In International Conference on Computer Aided Verification (CAV). 208–230.Google ScholarGoogle Scholar
  14. Cormac Flanagan, Amr Sabry, Bruce F Duba, and Matthias Felleisen. 1993. The essence of compiling with continuations. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 237–247.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2021. Compositional Non-Interference for Fine-Grained Concurrent Programs. In IEEE Symposium on Security & Privacy (S&P). To appear.Google ScholarGoogle Scholar
  16. Joseph Goguen and José Meseguer. 1982. Security Policies and Security Models. In IEEE Symposium on Security & Privacy (S&P). IEEE Computer Society, Oakland, California, USA. 11–20.Google ScholarGoogle Scholar
  17. Kohei Honda, Vasco Vasconcelos, and Nobuko Yoshida. 2000. Secure information flow as typed process behaviour. In European Symposium on Programming (ESOP). 180–199.Google ScholarGoogle ScholarCross RefCross Ref
  18. Aleksandr Karbyshev, Kasper Svendsen, Aslan Askarov, and Lars Birkedal. 2018. Compositional Non-Interference for Concurrent Programs via Separation and Framing. In International Conference on Principles of Security and Trust (POST).Google ScholarGoogle ScholarCross RefCross Ref
  19. Luísa Lourenço and Luís Caires. 2015. Dependent Information Flow Types. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). Mumbai, India. 317–328.Google ScholarGoogle Scholar
  20. Sela Mador-Haim, Luc Maranget, Susmit Sarkar, Kayvan Memarian, Jade Alglave, Scott Owens, Rajeev Alur, Milo MK Martin, Peter Sewell, and Derek Williams. 2012. An axiomatic memory model for POWER multiprocessors. In International Conference on Computer Aided Verification (CAV). 495–512.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Kenji Maillard, Cătălin Hriţcu, Exequiel Rivas, and Antoine Van Muylder. 2019. The next 700 relational program logics. Proceedings of the ACM on Programming Languages, 4, POPL (2019), 1–33.Google ScholarGoogle Scholar
  22. Jeremy Manson, William Pugh, and Sarita V Adve. 2005. The Java memory model. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). 378–391.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Heiko Mantel, Matthias Perner, and Jens Sauer. 2014. Noninterference under weak memory models. In IEEE Computer Security Foundations Symposium (CSF). 80–94.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Toby Murray and Gavin Lowe. 2009. On Refinement-Closed Security Properties and Nondeterministic Compositions. In International Workshop on Automated Verification of Critical Systems (Electronic Notes in Theoretical Computer Science, Vol. 250). 49–68. https://doi.org/10.1016/j.entcs.2009.08.017 Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Toby Murray and Gavin Lowe. 2010. Analysing the Information Flow Properties of Object-Capability Patterns. In Formal Aspects of Security and Trust (Lecture Notes in Computer Science, Vol. 5983). Eindhoven, The Netherlands. 81–95. https://doi.org/10.1007/978-3-642-12459-4_7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Toby Murray, Robert Sison, and Kai Engelhardt. 2018. COVERN: A Logic for Compositional Verification of Information Flow Control. In IEEE European Symposium on Security and Privacy (EuroS&P). London, United Kingdom.Google ScholarGoogle Scholar
  27. Toby Murray, Robert Sison, Edward Pierzchalski, and Christine Rizkallah. 2016. Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference. In IEEE Computer Security Foundations Symposium (CSF). 417–431.Google ScholarGoogle Scholar
  28. Peter W O’Hearn. 2004. Resources, concurrency and local reasoning. In International Conference on Concurrency Theory (CONCUR). 49–67.Google ScholarGoogle Scholar
  29. AW Roscoe, JCP Woodcock, and Lars Wulf. 1994. Non-interference through determinism. In European Symposium on Research in Computer Security (ESORICS). 31–53.Google ScholarGoogle ScholarCross RefCross Ref
  30. A William Roscoe. 1995. CSP and determinism in security modelling. In IEEE Symposium on Security & Privacy (S&P). 114–127.Google ScholarGoogle ScholarCross RefCross Ref
  31. Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott Owens, Tom Ridge, Thomas Braibant, Magnus O Myreen, and Jade Alglave. 2009. The semantics of x86-CC multiprocessor machine code. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Daniel Schoepe, Toby Murray, and Andrei Sabelfeld. 2020. VERONICA: Expressive and Precise Concurrent Information Flow Security. In IEEE Computer Security Foundations Symposium (CSF). 79–94.Google ScholarGoogle Scholar
  33. Robert Sison and Toby Murray. 2019. Verifying That a Compiler Preserves Concurrent Value-Dependent Information-Flow Security. In International Conference on Interactive Theorem Proving (ITP). 27:1–27:19.Google ScholarGoogle Scholar
  34. Graeme Smith, Nicholas Coughlin, and Toby Murray. 2019. Value-Dependent Information-Flow Security on Weak Memory Models. In International Symposium on Formal Methods (FM). 539–555.Google ScholarGoogle Scholar
  35. Tachio Terauchi. 2008. A type system for observational determinism. In IEEE Computer Security Foundations Symposium (CSF). 287–300.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Viktor Vafeiadis. 2011. Concurrent Separation Logic and Operational Semantics. In Mathematical Foundations of Programming Semantics (MFPS). 335–351.Google ScholarGoogle Scholar
  37. Viktor Vafeiadis and Chinmay Narayan. 2013. Relaxed separation logic: A program logic for C11 concurrency. In Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). 867–884.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jeffrey A Vaughan and Todd Millstein. 2012. Secure information flow for concurrent programs under Total Store Order. In IEEE Computer Security Foundations Symposium (CSF). 19–29.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Jaroslav Ševčík and Peter Sewell. 2016. C/C++11 mappings to processors. https://www.cl.cam.ac.uk/ pes20/cpp/cpp0xmappings.htmlGoogle ScholarGoogle Scholar
  40. Pengbo Yan. 2021. SecRSL: Security Separation Logic for C11 Release-Acquire Concurrency - Coq Formalisation. https://doi.org/10.5281/zenodo.5493554 Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Pengbo Yan and Toby Murray. 2021. SecRSL: Security Separation Logic for C11 Release-Acquire Concurrency (Extended version with technical appendices). arxiv:2109.03602.Google ScholarGoogle Scholar
  42. Hongseok Yang. 2007. Relational separation logic. Theoretical Computer Science, 375, 1-3 (2007), 308–334.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Steve Zdancewic and Andrew C Myers. 2003. Observational determinism for concurrent program security. In IEEE Computer Security Foundations Workshop (CSFW). 29–43.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. SecRSL: security separation logic for C11 release-acquire concurrency

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!