Micro-Policies A Framework for Verified, Hardware-Assisted Security Monitors

A wide range of low-level security policies can be expressed as rules on metadata tags and enforced using a combination of a hardware rule cache and a software monitor. We present a generic framework for defining tag-based reference monitors (or micro-policies) on a simple tagged RISC processor, formalize this framework in Coq, and use it to define and verify micro-policies for dynamic sealing, control-flow integrity, memory safety, and compartmentalization; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the hardware running a correctly implemented monitor embodies a high-level specification characterizing a useful security property.

[1]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[2]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[3]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[4]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[5]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[6]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[7]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[9]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[10]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[11]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[12]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[13]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  James H. Morris Protection in Programming , 1973 .

[15]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[16]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[17]  James H. Morris Protection in programming languages , 1973, CACM.

[18]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[19]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[22]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[24]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[25]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[26]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[27]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[28]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.