Micro-Policies: Formally Verified, Tag-Based Security Monitors

Many of today's vulnerabilities arise from the violation of known, but in-practice unenforceable, safety and security policies, including high-level programming models and critical invariants of low-level programs. This project is aimed at showing that a wide range of low-level security policies can be efficiently enforced by a mechanism for tag-based hardware-assisted reference monitors we call micro-policies. The micro-policy enforcement mechanism is low-level and fine-grained: large metadata tags are added to all machine words and these tags are efficiently checked and propagated on each machine instruction. The structure of the tags and the tag checking and propagation rules are defined by software. This provides great flexibility for defining policies and puts no arbitrary limitations on the size of the metadata and the number of policies supported. We have already investigated micro-policies for memory safety, control-flow integrity (CFI), compartment isolation, taint tracking, information-flow control (IFC), and dynamic sealing. Hardware caching of the software's decision and several targeted micro-architectural optimizations ensure that monitoring imposes modest impact on run-time (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and chip area (110%). A crucial part of this project is formally investigating the security guarantees provided by micro-policies. In recent work we introduced a methodology for defining and reasoning about such tag-based reference monitors in terms of a higher-level "symbolic machine." We used this methodology to define and formally verify micro-policies for IFC, dynamic sealing, compartmentalization, CFI, and memory safety; in addition, we showed how to use the tagging mechanism to protect its own integrity. For each micro-policy, we proved in Coq by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. For micro-policies such as IFC and CFI we additionally used refinement to transport an extrinsic security property (e.g. non-interference, CFI) to the lowest level. Many interesting research challenges remain open for micro-policies. While so far we have studied micro-policies in isolation, in practice it is also necessary to study the interactions between micro-policies and the compiler, the linker, the loader, and the operating system (OS). As the first steps in this direction, we have started looking at using micro-policies for efficient fully abstract compilation and for compartmentalizing a tiny OS. Another challenging research question is when can micro-policies be safely composed, so that the guarantees they achieve in isolation are enforced by the composition. Certain micro-policies are known to compose sensibly, and micro-architectural optimizations ensure that they perform well on practical workloads, but the general picture of how to compose micro-policy correctness proofs remains unclear. Finally, our current hardware simulations are done for a single-core in-order RISC processor (an Alpha), while our formal work is for an even simpler idealized RISC. In the future we would like to scale our work to a modern RISC instruction set (e.g. ARM) and more advanced hardware features such as out-of-order execution and even multi-core.

[1]  James H. Morris Protection in Programming , 1973 .

[2]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[3]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[5]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[6]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[7]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[8]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[9]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[11]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[12]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[13]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[14]  James H. Morris Protection in programming languages , 1973, CACM.

[15]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[16]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2007, Theor. Comput. Sci..

[17]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[18]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[19]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[20]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[21]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[22]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[23]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[25]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[26]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[27]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[28]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[29]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[30]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[31]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[33]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[34]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.