Noninterference for Operating System Kernels

While intransitive noninterference is a natural property for any secure OS kernel to enforce, proving that the implementation of any particular general-purpose kernel enforces this property is yet to be achieved. In this paper we take a significant step towards this vision by presenting a machine-checked formulation of intransitive noninterference for OS kernels, and its associated sound and complete unwinding conditions, as well as a scalable proof calculus over nondeterministic state monads for discharging these unwinding conditions across a kernel's implementation. Our ongoing experience applying this noninterference framework and proof calculus to the seL4 microkernel validates their utility and real-world applicability.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[3]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[4]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[5]  Gerwin Klein,et al.  Provable Security: How Feasible Is It? , 2011, HotOS.

[6]  Toby C. Murray,et al.  Extensible Specifications for Automatic Re-use of Specifications and Proofs , 2012, SEFM.

[7]  Lennart Beringer,et al.  Relational Decomposition , 2011, ITP.

[8]  Willem-Paul de Roever,et al.  Data Refinement by Willem-Paul de Roever , 1998 .

[9]  David A. Greve,et al.  Information Security Modeling and Analysis , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[10]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[11]  Willem-Paul de Roever,et al.  Data Refinement: Theory , 1998 .

[12]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[13]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[14]  Ron van der Meyden,et al.  What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[15]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[16]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[17]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[18]  Gerwin Klein,et al.  Secure Microkernels, State Monads and Scalable Refinement , 2008, TPHOLs.

[19]  J. Thomas Haigh,et al.  Extending theNoninterference Versionof MLS , 1987 .

[20]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[21]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[22]  Ron van der Meyden,et al.  Information Flow in Systems with Schedulers , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[23]  David S. Hardin Design and Verification of Microprocessor Systems for High-Assurance Applications , 2010 .

[24]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.