A Methodology For Micro-Policies

A METHODOLOGY FOR MICRO-POLICIES Arthur Azevedo de Amorim Benjamin C. Pierce This thesis proposes a formal methodology for defining, specifying, and reasoning about micropolicies—security policies based on fine-grained tagging that include forms of access control, memory safety, compartmentalization, and information-flow control. Our methodology is based on a symbolic machine that extends a conventional RISC-like architecture with tags. Tags express security properties of parts of the program state (“this is an instruction,” “this is secret,” etc.), and are checked and propagated on every instruction according to flexible user-supplied rules. We apply this methodology to two widely studied policies, information-flow control and heap memory safety, implementing them with the symbolic machine and formally characterizing their security guarantees: for information-flow control, we prove a classic notion of termination-insensitive noninterference; for memory safety, a novel property that protects memory regions that a program cannot validly reach through the pointers it possesses—which, we believe, provides a useful criterion for evaluating and comparing different flavors of memory safety. We show how the symbolic machine can be realized with a more practical processor design, where a software monitor takes advantage of a hardware cache to speed up its execution while protecting itself from potentially malicious user-level code. Our development has been formalized and verified in the Coq proof assistant, attesting that our methodology can provide rigorous security guarantees.

[1]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[2]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[3]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[4]  Milo M. K. Martin,et al.  Ironclad C++: a library-augmented type-safe subset of c++ , 2013, OOPSLA.

[5]  Benjamin C. Pierce,et al.  The Meaning of Memory Safety , 2017, POST.

[6]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[7]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[8]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[9]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[10]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[12]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[13]  Cezary Kaliszyk,et al.  General Bindings and Alpha-Equivalence in Nominal Isabelle , 2011, ESOP.

[14]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[15]  J. Gregory Morrisett,et al.  L3: A Linear Language with Locations , 2007, Fundam. Informaticae.

[16]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[18]  Vitaly Shmatikov,et al.  Memento: Learning Secrets from Process Footprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[20]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[21]  Thomas F. Knight,et al.  Trust-Management, Intrusion-Tolerance, Accountability, and Reconstitution Architecture (TIARA) , 2009 .

[22]  Michael M. Swift,et al.  Efficient virtual memory for big memory servers , 2013, ISCA.

[23]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[24]  Jianzhou Zhao Formalizing the SSA-based compiler for verified advanced program transformations , 2013 .

[25]  Nick Benton,et al.  Coq: the world's best macro assembler? , 2013, PPDP.

[26]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[27]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[28]  Saikat Guha,et al.  Bootstrapping Privacy Compliance in Big Data Systems , 2014, 2014 IEEE Symposium on Security and Privacy.

[29]  Adam Chlipala,et al.  Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant , 2015, POPL.

[30]  Benjamin C. Pierce,et al.  A Theory of Information-Flow Labels , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[31]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2007, Theor. Comput. Sci..

[32]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[33]  Jonathan M. Smith,et al.  Preliminary design of the SAFE platform , 2011, PLOS '11.

[34]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[35]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[36]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[37]  James H. Morris Protection in programming languages , 1973, CACM.

[38]  Jeehoon Kang,et al.  A formal C memory model supporting integer-pointer casts , 2015, PLDI.

[39]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[40]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[41]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[42]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[43]  Cǎtǎlin Hriţcu,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, PLAS@ECOOP.

[44]  Riccardo Focardi,et al.  Micro-policies for Web Session Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[45]  Christof Fetzer,et al.  Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[46]  Fred B. Schneider,et al.  JRIF: Reactive Information Flow Control for Java , 2016, Foundations of Security, Protocols, and Equational Reasoning.

[47]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[48]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[49]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[50]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[51]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[52]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[53]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[54]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[55]  Arthur Azevedo de Amorim Binding Operators for Nominal Sets , 2016, MFPS.

[56]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[57]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[58]  Georges Gonthier A computer-checked proof of the Four Colour Theorem , 2005 .

[59]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[60]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[61]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[62]  Tobias Nipkow,et al.  A FORMAL PROOF OF THE KEPLER CONJECTURE , 2015, Forum of Mathematics, Pi.

[63]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[64]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[65]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[66]  André DeHon,et al.  Protecting the Stack with Metadata Policies and Tagged Hardware , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[67]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[68]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[69]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[70]  Jeremy Avigad,et al.  A Machine-Checked Proof of the Odd Order Theorem , 2013, ITP.

[71]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[72]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[73]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[74]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[75]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[76]  Felix Klaedtke,et al.  Enforceable Security Policies Revisited , 2012, POST.

[77]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[78]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[79]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[80]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[81]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[82]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[83]  Udit Dhawan,et al.  Area-efficient near-associative memories on FPGAs , 2013, FPGA '13.

[84]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[85]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[86]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[87]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[88]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[89]  Nick Benton,et al.  Integrating Linear and Dependent Types , 2015, POPL.

[90]  Andrew M. Pitts,et al.  Nominal Sets: Names and Symmetry in Computer Science , 2013 .

[91]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[92]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[93]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[94]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[95]  Mads Dam,et al.  Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties , 2013, CPP.

[96]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[97]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[98]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[99]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[100]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[101]  Andrew M. Pitts,et al.  A New Approach to Abstract Syntax with Variable Binding , 2002, Formal Aspects of Computing.

[102]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[103]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[104]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[105]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[106]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.