A Logic of Programs with Interface-Confined Code

Interface-confinement is a common mechanism that secures untrusted code by executing it inside a sandbox. The sandbox limits (confines) the code's interaction with key system resources to a restricted set of interfaces. This practice is seen in web browsers, hypervisors, and other security-critical systems. Motivated by these systems, we present a program logic, called System M, for modeling and proving safety properties of systems that execute adversary-supplied code via interface-confinement. In addition to using computation types to specify effects of computations, System M includes a novel invariant type to specify the properties of interface-confined code. The interpretation of invariant type includes terms whose effects satisfy an invariant. We construct a step-indexed model built over traces and prove the soundness of System M relative to the model. System M is the first program logic that allows proofs of safety for programs that execute adversary-supplied code without forcing the adversarial code to be available for deep static analysis. System M can be used to model and verify protocols as well as system designs. We demonstrate the reasoning principles of System M by verifying the state integrity property of the design of Memoir, a previously proposed trusted computing system.

[1]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[2]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[3]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[4]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[5]  Andrew D. Gordon,et al.  A Type Discipline for Authorization Policies , 2005, ESOP.

[6]  Amal Ahmed,et al.  Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types , 2006, ESOP.

[7]  Carsten Rudolph,et al.  Security Evaluation of Scenarios Based on the TCG's TPM Specification , 2007, ESORICS.

[8]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[9]  Lars Birkedal,et al.  Abstract Predicates and Mutable ADTs in Hoare Type Theory , 2007, ESOP.

[10]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[11]  Lars Birkedal,et al.  Hoare type theory, polymorphism and separation1 , 2008, Journal of Functional Programming.

[12]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[13]  Dilsun Kirli Kaynar,et al.  A Logic of Secure Systems and its Application to Trusted Computing , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  Mark Ryan,et al.  Attack, Solution and Verification for Shared Authorisation Data in TCG TPM , 2009, Formal Aspects in Security and Trust.

[15]  J. Gregory Morrisett,et al.  Towards type-theoretic semantics for transactional concurrency , 2009, TLDI '09.

[16]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[18]  Dilsun Kirli Kaynar,et al.  Compositional System Security with Interface-Confined Adversaries , 2010, MFPS.

[19]  Anupam Datta,et al.  Compositional System Security in the Presence of Interface-Confined Adversaries (CMU-CyLab-10-004) , 2010 .

[20]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[21]  Graham Steel,et al.  A Formal Analysis of Authentication in the TPM , 2010, Formal Aspects in Security and Trust.

[22]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[23]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Bruno Blanchet,et al.  Using Horn Clauses for Analyzing Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[25]  Graham Steel,et al.  Formal Analysis of Protocols Based on TPM State Registers , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[26]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[27]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[28]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[29]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..