Noninterference specifications for secure systems

This paper presents an analysis of noninterference specifications used in a range of formally verified systems. The main findings are that these systems use distinct specifications and that they often employ small variations, both complicating their security implications. We categorize these specifications and discuss their trade-offs for reasoning about information flows in systems.

[1]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[2]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[3]  Paul T. Graunke,et al.  Verified Safety and Information Flow of a Block Device , 2008, SSV.

[4]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[5]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[6]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[7]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[8]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[9]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[10]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[11]  Sorin Lerner,et al.  Automating formal proofs for reactive systems , 2014, PLDI.

[12]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[13]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[14]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[15]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[16]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[17]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[18]  Kai Engelhardt,et al.  COVERN: A Logic for Compositional Verification of Information Flow Control , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[19]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[20]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[21]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[22]  Ron van der Meyden,et al.  A comparison of semantic models for noninterference , 2006, Theor. Comput. Sci..

[23]  Zhong Shao,et al.  End-to-end verification of information-flow security for C and assembly programs , 2016, PLDI.

[24]  Sebastian Eggert Security via Noninterference - Analyzing Information Flows , 2014 .

[25]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[26]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[27]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[28]  Oliver Schwarz,et al.  No Hypervisor Is an Island: System-wide Isolation Guarantees for Low Level Code , 2016 .

[29]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[30]  Ron van der Meyden What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[31]  Adam Chlipala,et al.  Proving confidentiality in a file system using DiskSec , 2018, OSDI.

[32]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[33]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[34]  TatlockZachary,et al.  Automating formal proofs for reactive systems , 2014 .

[35]  Zachary Lee Tatlock Reducing the Costs of Proof Assistant Based Formal Verification or : Conviction without the Burden of Proof , 2014 .

[36]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.