Fault-tolerant non-interference: invited talk abstract

This work is about specifying and ensuring security in unreliable systems. We study systems which are subject to transient faults -- soft errors that cause stored values to be corrupted. Transient faults occur in hardware when a high-energy particle strikes a transistor, resulting in a spontaneous bit-flip. Such events have been acknowledged as the source of major crashes in server systems. The trend towards lower threshold voltages and tighter noise margins means that susceptibility to transient faults is increasing. From a security perspective, transient faults are a known attack vector. For instance, it has been shown that a single bit flip, regardless of how is triggered, can compromise the value of a secret key in some public key and authentication systems. Fault tolerance techniques aim to preserve properties of systems despite such transient faults. Preservation of functional correctness, however, comes at a high cost, and seems to inevitably require some special form of hardware-level replication. For the predominantly-software-based techniques, with one or two notable exceptions, most works do not give precise, formal guarantees. In this work, rather than attempting to preserve full functional behaviour in the presence of faults, we consider the novel problem of guaranteeing security: faults may cause a program to go wrong, but even if it goes wrong it should not leak sensitive data, no matter if the code is crafted with malicious intent. The particular security characterization we study is non-interference, an information-flow security property which says that public outputs of a program (the low security channel) do not reveal anything about its secrets (the high security inputs). Our approach has two distinguishing features. Firstly, it does not rely on special purpose fault tolerant hardware, and secondly, it makes its assumptions precise and provides formal guarantees. We study this problem for a RISC-style machine for which the only fault-tolerant component is the ROM containing the code, but otherwise contains no special fault-tolerant components. We devise a transformation technique for programs which generates fault-tolerant noninterfering code, up to a fixed number of faults. The method is based on a strong separation of resources between different security levels, inspired by the recent technique of Secure Multi-Execution, together with a carefully chosen code and data layout, and a robust protocol for data access and control flow modifications. We prove that the transformation method yields noninterfering programs in the presence of faults, and that it preserves the meaning of a class of reasonable programs -- those which use a bounded amount of storage and which are not sensitive to exactly where in memory code and data are located.