Micro-Policies: Formally Verified, Tag-Based Security Monitors

Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine" and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety, in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

[1]  James H. Morris Protection in Programming , 1973 .

[2]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[3]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[4]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[5]  G. Edward Suh,et al.  Flexible and Efficient Instruction-Grained Run-Time Monitoring Using On-Chip Reconfigurable Fabric , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[6]  AbadiMartín,et al.  Control-flow integrity principles, implementations, and applications , 2009 .

[7]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[8]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[9]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[10]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[11]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[12]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[13]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[14]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[16]  Lujo Bauer,et al.  Composing expressive runtime security policies , 2009, TSEM.

[17]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[18]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[19]  Frank Piessens,et al.  Provably correct inline monitoring for multithreaded Java-like programs , 2010, J. Comput. Secur..

[20]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[21]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[22]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[23]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[24]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[25]  James H. Morris Protection in programming languages , 1973, CACM.

[26]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[27]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[28]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[29]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[30]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[31]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[32]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[33]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[34]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[35]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[36]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[37]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[38]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[39]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[40]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[41]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[42]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[43]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[44]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[45]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[46]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[47]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[48]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[49]  Jonathan M. Smith,et al.  Preliminary design of the SAFE platform , 2011, PLOS '11.

[50]  Nael B. Abu-Ghazaleh,et al.  SIFT: a low-overhead dynamic information flow tracking architecture for SMT processors , 2011, CF '11.

[51]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[52]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[53]  Charlie Miller,et al.  Engineering Heap Overflow Exploits with JavaScript , 2008, WOOT.

[54]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[55]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[56]  O. Sami Saydjari,et al.  LOCK trek: navigating uncharted space , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[57]  Benjamin C. Pierce,et al.  A Theory of Information-Flow Labels , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[58]  Nick Benton,et al.  Coq: the world's best macro assembler? , 2013, PPDP.

[59]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[60]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[61]  Babak Falsafi,et al.  FADE: A programmable filtering accelerator for instruction-grain monitoring , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[62]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[63]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[64]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[65]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[66]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[67]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[68]  Limin Jia,et al.  Temporal Mode-Checking for Runtime Monitoring of Privacy Policies , 2014, CAV.

[69]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[70]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[71]  Howard Shrobe,et al.  TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture , 2007 .

[72]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[73]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[74]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[75]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[76]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[77]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[78]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[79]  Felix Klaedtke,et al.  Enforceable Security Policies Revisited , 2012, TSEC.

[80]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.