A Formal Framework of Shielding Systems by Stepwise Refinement

The shielding systems, e.g., special-purpose hypervisor, provide more secure environments for security-critical applications (SCAs), compared with traditional computer systems. In this paper, we propose a general framework of formally modeling and verifying the shielding systems for enhancing the security. The framework supports multiples types of shielding systems based on different technologies, such as Intel TXT or TrustZone. It is implemented by stepwise refinement, in which the early steps model the common states, events and security properties among the systems. Then the shielding systems are modeled in latter steps, where all the events are refined from the ones in the previous steps without the requirement of reproving soundness of security properties, e.g., memory isolation, data confidentiality, upon the occurrence of each event. Therefore, the complexity of formally verifying new shielding systems is reduced. We implement the framework in the Coq proof assistant, and find potential security threats in using the shielding systems.

[1]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[2]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[3]  Wenchao Huang,et al.  Fine-Grained Refinement on TPM-Based Protocol Applications , 2013, IEEE Transactions on Information Forensics and Security.

[4]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX ATC.

[5]  Min Wu,et al.  An Enhanced Anonymous Password-based Authenticated Key Agreement Scheme with Formal Proof , 2017, Int. J. Netw. Secur..

[6]  Michael K. Reiter,et al.  Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu , 2017, AsiaCCS.

[7]  Sanjit A. Seshia,et al.  Moat: Verifying Confidentiality of Enclave Programs , 2015, CCS.

[8]  Trent Jaeger,et al.  TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone , 2017, MobiSys.

[9]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[10]  Wenchao Huang,et al.  A General Formal Framework of Analyzing Selective Disclosure Attribute-Based Credential Systems , 2017, Int. J. Netw. Secur..

[11]  Yunheung Paek,et al.  Hardware-Assisted On-Demand Hypervisor Activation for Efficient Security Critical Code Execution on Mobile Devices , 2016, USENIX Annual Technical Conference.

[12]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[13]  Robert H. Deng,et al.  Efficient Virtualization-Based Application Protection Against Untrusted Operating System , 2015, AsiaCCS.

[14]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions (Intel® SGX) Support for Dynamic Memory Management Inside an Enclave , 2016, HASP 2016.

[15]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[16]  Srinivas Devadas,et al.  A Formal Foundation for Secure Remote Execution of Enclaves , 2017, IACR Cryptol. ePrint Arch..

[17]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[18]  Jinsoo Jang,et al.  PrivateZone: Providing a Private Execution Environment Using ARM TrustZone , 2018, IEEE Transactions on Dependable and Secure Computing.

[19]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[20]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[21]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[22]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols , 2007 .

[23]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[24]  Christoph Sprenger,et al.  Developing security protocols by refinement , 2010, CCS '10.

[25]  Sanjit A. Seshia,et al.  A design and verification methodology for secure isolated regions , 2016, PLDI.

[26]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[27]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[28]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[29]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.