ARMor: Fully verified software fault isolation

We have designed and implemented ARMor, a system that uses software fault isolation (SFI) to sandbox application code running on small embedded processors. Sandboxing can be used to protect components such as the RTOS and critical control loops from other, less-trusted components. ARMor guarantees memory safety and control flow integrity; it works by rewriting a binary to put a check in front of every potentially dangerous operation. We formally and automatically verify that an ARMored application respects the SFI safety properties using the HOL theorem prover. Thus, ARMor provides strong isolation guarantees and has an exceptionally small trusted computing base—there is no trusted compiler, binary rewriter, verifier, or operating system.

[1]  Robert W. Floyd,et al.  Assigning meaning to programs , 1967 .

[2]  Thomas F. Melham A Package For Inductive Relation Definitions In HOL , 1991, 1991., International Workshop on the HOL Theorem Proving System and Its Applications.

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[5]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[6]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[7]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[8]  Anthony C. J. Fox,et al.  Formal Specification and Verification of ARM6 , 2003, TPHOLs.

[9]  Hongseok Yang,et al.  Automatic Construction of Hoare Proofs from Abstract Interpretation Results , 2003, APLAS.

[10]  K. De Bosschere,et al.  DIABLO: a reliable, retargetable and extensible link-time rewriting framework , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[11]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[12]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[13]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[14]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[15]  Stephen McCamant A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique , 2006 .

[16]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[17]  Andrew W. Appel,et al.  A Compositional Logic for Control Flow , 2006, VMCAI.

[18]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.

[19]  Magnus O. Myreen,et al.  Hoare logic for ARM machine code , 2007, FSEN'07.

[20]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[21]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[23]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[24]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[25]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.