Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security

High assurance systems used in avionics, medical implants, and cryptographic devices often rely on a small trusted base of hardware and software to manage the rest of the system. Crafting the core of such a system in a way that achieves flexibility, security, and performance requires a careful balancing act. Simple static primitives with hard partitions of space and time are easier to analyze formally, but strict approaches to the problem at the hardware level have been extremely restrictive, failing to allow even the simplest of dynamic behaviors to be expressed. Our approach to this problem is to construct a minimal but configurable architectural skeleton. This skeleton couples a critical slice of the low level hardware implementation with a microkernel in a way that allows information flow properties of the entire construction to be statically verified all the way down to its gate-level implementation. This strict structure is then made usable by a runtime system that delivers more traditional services (e.g. communication interfaces and long-living contexts) in a way that is decoupled from the information flow properties of the skeleton. To test the viability of this approach we design, test, and statically verify the information-flow security of a hardware/software system complete with support for unbounded operation, inter-process communication, pipelined operation, and I/O with traditional devices. The resulting system is provably sound even when adversaries are allowed to execute arbitrary code on the machine, yet is flexible enough to allow caching, pipelining, and other common case optimizations.

[1]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[2]  Trent Jaeger,et al.  Managing the risk of covert information flows in virtual machine systems , 2007, SACMAT '07.

[3]  Frederic T. Chong,et al.  Execution leases: A hardware-supported mechanism for enforcing strong non-interference , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Rushby John,et al.  Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance , 1999 .

[5]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[6]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[7]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[8]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[9]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[10]  Robert Lindell,et al.  An Analysis of the Intel 80x86 Security Architecture and Implementations , 1996, IEEE Trans. Software Eng..

[11]  Jean-Pierre Seifert,et al.  Deconstructing new cache designs for thwarting software cache-based side channel attacks , 2008, CSAW '08.

[12]  S. T. Buckland,et al.  An Introduction to the Bootstrap. , 1994 .

[13]  Olatunji Ruwase,et al.  Parallelizing dynamic information flow tracking , 2008, SPAA '08.

[14]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[15]  Jean-Pierre Seifert,et al.  Hardware-software integrated approaches to defend against software cache-based side channel attacks , 2009, 2009 IEEE 15th International Symposium on High Performance Computer Architecture.

[16]  Daniel Jackson,et al.  A direct path to dependable software , 2009, CACM.

[17]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[18]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[19]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[20]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[21]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[23]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[24]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[25]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[26]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .