Refinement-Based Specification and Security Analysis of Separation Kernels

Assurance of information-flow security by formal methods is mandated in security certification of separation kernels. As an industrial standard for improving safety, ARINC 653 has been complied with by mainstream separation kernels. Due to the new trend of integrating safe and secure functionalities into one separation kernel, security analysis of ARINC 653 as well as a formal specification with security proofs are thus significant for the development and certification of ARINC 653 compliant Separation Kernels (ARINC SKs). This paper presents a specification development and security analysis method for ARINC SKs based on refinement. We propose a generic security model and a stepwise refinement framework. Two levels of functional specification are developed by the refinement. A major part of separation kernel requirements in ARINC 653 are modeled, such as kernel initialization, two-level scheduling, partition and process management, and inter-partition communication. The formal specification and its security proofs are carried out in the Isabelle/HOL theorem prover. We have reviewed the source code of one industrial and two open-source ARINC SK implementations, i.e., VxWorks 653, XtratuM, and POK, in accordance with the formal specification. During the verification and code review, six security flaws, which can cause information leakage, are found in the ARINC 653 standard and the implementations.

[1]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[2]  Michael G. Hinchey,et al.  Separation Kernel Verification: The Xtratum Case Study , 2014, VSTTE.

[3]  Yang Liu,et al.  Reasoning About Information Flow Security of Separation Kernels with Channel-Based Communication , 2016, TACAS.

[4]  David S. Hardin Design and Verification of Microprocessor Systems for High-Assurance Applications , 2010 .

[5]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[6]  Yang Liu,et al.  CSimpl: A Rely-Guarantee-Based Framework for Verifying Concurrent Programs , 2017, TACAS.

[7]  Burkhart Wolff,et al.  Formal Specification of a Generic Separation Kernel , 2014, Arch. Formal Proofs.

[8]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[9]  Jean-Raymond Abrial,et al.  Refinement, Decomposition, and Instantiation of Discrete Models: Application to Event-B , 2007, Fundam. Informaticae.

[10]  Artur Oliveira Gomes,et al.  Formal Specification of the ARINC 653 Architecture Using Circus , 2012 .

[11]  Julien Delange,et al.  POK, an ARINC653-compliant operating system released under the BSD license , 2011 .

[12]  Kaisa Sere,et al.  Superposition refinement of reactive systems , 2005, Formal Aspects of Computing.

[13]  Julien Delange,et al.  Modeling and Validation of ARINC 653 architectures , 2010 .

[14]  Henning Schnoor,et al.  The Complexity of Intransitive Noninterference , 2011, 2011 IEEE Symposium on Security and Privacy.

[15]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[16]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[17]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[18]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[19]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[20]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[22]  Ismael Ripoll,et al.  Partitioned Embedded Architecture Based on Hypervisor: The XtratuM Approach , 2010, 2010 European Dependable Computing Conference.

[23]  김재현,et al.  Integrated Modular Avionics 컴퓨터 아키텍처의 설계방안 , 2014 .

[24]  Rushby John,et al.  Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance , 1999 .

[25]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[26]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[27]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[28]  Cynthia E. Irvine,et al.  Analysis of three multilevel security architectures , 2007, CSAW '07.

[29]  Kaisa Sere,et al.  Stepwise Refinement of Action Systems , 1991, Struct. Program..

[30]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[31]  Thai Son Hoang Security invariants in discrete transition systems , 2012, Formal Aspects of Computing.

[32]  Matthew Wilding,et al.  Formal Verification of Partition Management for the AAMP7G Microprocessor , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[33]  Yang Liu,et al.  Event-based formalization of safety-critical operating system standards: An experience report on ARINC 653 using Event-B , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[34]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[35]  Burkhart Wolff,et al.  Used Formal Methods , 2015 .

[36]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[37]  María-del-Mar Gallardo,et al.  Verification support for ARINC‐653‐based avionics software , 2011, Softw. Test. Verification Reliab..

[38]  Iain D. Craig Formal refinement for operating system Kernels , 2007 .

[39]  Yang Liu,et al.  Formal Specification and Analysis of Partitioning Operating Systems by Integrating Ontology and Refinement , 2016, IEEE Transactions on Industrial Informatics.

[40]  Julien Delange,et al.  Modeling and Validation of ARINC653 architectures , 2010 .

[41]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[42]  Liming Zhu,et al.  Large-scale formal verification in practice: A process perspective , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[43]  Julien Schmaltz,et al.  On Two Models of Noninterference: Rushby and Greve, Wilding, and Vanfleet , 2014, SAFECOMP.

[44]  Burkhart Wolff,et al.  Formal API Specification of the PikeOS Separation Kernel , 2015, NFM.

[45]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[46]  Murali Rangarajan,et al.  Feature-based decomposition of inductive proofs applied to real-time avionics software: an experience report , 2004, Proceedings. 26th International Conference on Software Engineering.

[47]  David Greve,et al.  The Common Criteria , Formal Methods and ACL 2 , 2004 .

[48]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[49]  Andrius Velykis,et al.  Formal Modelling of Separation Kernel Components , 2010, ICTAC.

[50]  Hermann Härtig,et al.  Avoiding timing channels in fixed-priority schedulers , 2008, ASIACCS '08.

[51]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[52]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[53]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[54]  John P. McDermott,et al.  Formal methods for security in the Xenon hypervisor , 2011, International Journal on Software Tools for Technology Transfer.