System M: A Program Logic for Code Sandboxing and Identification

Abstract : Security-sensitive applications that execute untrusted code often check the codes integrity by comparing its syntax to a known good value or sandbox the code to contain its effects. System M is a new program logic for reasoning about such security-sensitive applications. System M extends Hoare Type Theory (HTT) to trace safety properties and, additionally, contains two new reasoning principles. First, its type system internalizes logical equality, facilitating reasoning about applications that check code integrity. Second, a confinement rule assigns an effect type to a computation based solely on knowledge of the computations sandbox. We prove the sound-ness of System M relative to a step-indexed trace-based semantic model. We illustrate both new reasoning principles of System M by verifying the main integrity property of the design of Memoir, a previously proposed trusted computing system for ensuring state continuity of isolated security-sensitive applications.

[1]  Graham Steel,et al.  A Formal Analysis of Authentication in the TPM , 2010, Formal Aspects in Security and Trust.

[2]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[3]  Dilsun Kirli Kaynar,et al.  A Logic of Secure Systems and its Application to Trusted Computing , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Bruno Blanchet,et al.  Using Horn Clauses for Analyzing Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[5]  M. E. R. “If” , 1921, Definitions.

[6]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[7]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[8]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[9]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.

[10]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[11]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[13]  Lars Birkedal,et al.  A Realizability Model for Impredicative Hoare Type Theory , 2008, ESOP.

[14]  Amal Ahmed,et al.  Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types , 2006, ESOP.

[15]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[16]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[17]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[18]  Mark Ryan,et al.  Attack, Solution and Verification for Shared Authorisation Data in TCG TPM , 2009, Formal Aspects in Security and Trust.

[19]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[20]  J. Gregory Morrisett,et al.  Towards type-theoretic semantics for transactional concurrency , 2009, TLDI '09.

[21]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[22]  Anupam Datta,et al.  Compositional System Security in the Presence of Interface-Confined Adversaries (CMU-CyLab-10-004) , 2010 .

[23]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[24]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[25]  Carsten Rudolph,et al.  Security Evaluation of Scenarios Based on the TCG's TPM Specification , 2007, ESORICS.

[26]  Lars Birkedal,et al.  Abstract Predicates and Mutable ADTs in Hoare Type Theory , 2007, ESOP.

[27]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[28]  Graham Steel,et al.  Formal Analysis of Protocols Based on TPM State Registers , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[29]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[30]  Lars Birkedal,et al.  Hoare type theory, polymorphism and separation1 , 2008, Journal of Functional Programming.

[31]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[32]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..