A verified information-flow architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.

[1]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[2]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[3]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[4]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[6]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[7]  Martín Abadi,et al.  A Functional View of Imperative Information Flow , 2012, APLAS.

[8]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[9]  Dachuan Yu More Typed Assembly Languages for Confidentiality , 2007, APLAS.

[10]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[11]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[12]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[13]  Mads Dam,et al.  Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties , 2013, CPP.

[14]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[15]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[16]  Benjamin C. Pierce,et al.  A Theory of Information-Flow Labels , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[17]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[18]  Benjamin Grégoire,et al.  The MOBIUS Proof Carrying Code Infrastructure , 2008, FMCO.

[19]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[20]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[21]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[22]  Suresh Jagannathan,et al.  Relaxed-memory concurrency and verified compilation , 2011, POPL '11.

[23]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[24]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[25]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[26]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[27]  Howard Shrobe,et al.  TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture , 2007 .

[28]  Udit Dhawan,et al.  Area-efficient near-associative memories on FPGAs , 2013, FPGA '13.

[29]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[30]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[31]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[32]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[33]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[34]  Marco Pistoia,et al.  A language for information flow: dynamic tracking in multiple interdependent dimensions , 2009, PLAS '09.

[35]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[36]  Eduardo Bonelli,et al.  A Typed Assembly Language for Non-interference , 2005, ICTCS.

[37]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[38]  Gilles Barthe,et al.  A certified lightweight non-interference Java bytecode verifier† , 2007, Mathematical Structures in Computer Science.

[39]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[40]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[41]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[42]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[43]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[44]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[45]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[46]  Dachuan Yu,et al.  A Typed Assembly Language for Confidentiality , 2006, ESOP.

[47]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[48]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[49]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[50]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[51]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[52]  Rishiyur S. Nikhil,et al.  Bluespec System Verilog: efficient, correct RTL from high level specifications , 2004, Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2004. MEMOCODE '04..

[53]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[54]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[55]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[56]  Deian Stefan,et al.  A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems , 2013, TGC.

[57]  Olatunji Ruwase,et al.  Parallelizing dynamic information flow tracking , 2008, SPAA '08.

[58]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[59]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[60]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[61]  Thomas F. Knight,et al.  Trust-Management, Intrusion-Tolerance, Accountability, and Reconstitution Architecture (TIARA) , 2009 .

[62]  Robert Grabowski,et al.  Information flow analysis for mobile code in dynamic security environments , 2012 .

[63]  G. Edward Suh,et al.  Flexible and Efficient Instruction-Grained Run-Time Monitoring Using On-Chip Reconfigurable Fabric , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[64]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[65]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[66]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[67]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[68]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[69]  Lennart Beringer End-to-end Multilevel Hybrid Information Flow Control , 2012, APLAS.

[70]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[71]  Gilles Barthe,et al.  A Certified Lightweight Non-interference Java Bytecode Verifier , 2007, ESOP.

[72]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[73]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[74]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[75]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[76]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[77]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[78]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[79]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[80]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.

[81]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[82]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[83]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[84]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[85]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[86]  Jonathan M. Smith,et al.  Preliminary design of the SAFE platform , 2011, PLOS '11.

[87]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[88]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[89]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[90]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[91]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.