End-to-end verification of information-flow security for C and assembly programs

Protecting the confidentiality of information manipulated by a computing system is one of the most important challenges facing today's cybersecurity community. A promising step toward conquering this challenge is to formally verify that the end-to-end behavior of the computing system really satisfies various information-flow policies. Unfortunately, because today's system software still consists of both C and assembly programs, the end-to-end verification necessarily requires that we not only prove the security properties of individual components, but also carefully preserve these properties through compilation and cross-language linking. In this paper, we present a novel methodology for formally verifying end-to-end security of a software system that consists of both C and assembly programs. We introduce a general definition of observation function that unifies the concepts of policy specification, state indistinguishability, and whole-execution behaviors. We show how to use different observation functions for different levels of abstraction, and how to link different security proofs across abstraction levels using a special kind of simulation that is guaranteed to preserve state indistinguishability. To demonstrate the effectiveness of our new methodology, we have successfully constructed an end-to-end security proof, fully formalized in the Coq proof assistant, of a nontrivial operating system kernel (running on an extended CompCert x86 assembly machine model). Some parts of the kernel are written in C and some are written in assembly; we verify all of the code, regardless of language.

[1]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[2]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[3]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[4]  Benjamin C. Pierce,et al.  SAFE: A clean-slate architecture for secure systems , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[5]  Marsha Chechik,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2016, Lecture Notes in Computer Science.

[6]  Carroll Morgan Compositional noninterference from first principles , 2010, Formal Aspects of Computing.

[7]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[8]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  Zhong Shao,et al.  A Separation Logic for Enforcing Declarative Information Flow Control Policies , 2014, POST.

[11]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[12]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[13]  Xavier Leroy,et al.  Mechanized Semantics for the Clight Subset of the C Language , 2009, Journal of Automated Reasoning.

[14]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[15]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[16]  Carroll Morgan The Shadow Knows: Refinement and security in sequential programs , 2009, Sci. Comput. Program..

[17]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[18]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[19]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[20]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[21]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[22]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[24]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[25]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[26]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[27]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[28]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.