A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Buiras, Pablo; Levy, Azriel; Stefan, Deian; Russo, Alejandro; Mazières, David

doi:10.1007/978-3-319-05119-2_12

“…Our techniques can be adapted to other Haskell-like IFC systems beyond LIO. The library, case study, and details of the proofs can be found at [6].…”

Section: Resultsmentioning

confidence: 99%

“…6 To consider such computations, we simply extend the definition of Thread with a new constructor: P arallel::pure b → (b → T hread m a) → T hread m a. Here, pure is a monad that characterizes pure expressions, providing the primitive runPure :: pure b → b to obtain the value denoted by the code given as argument.…”

Section: Performance Tuningmentioning

confidence: 99%

See 1 more Smart Citation

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Buiras

¹

,

Levy

²

,

Stefan

³

et al. 2014

Trustworthy Global Computing

Self Cite

2

0

View full text Add to dashboard Cite

Abstract. Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO libraryour resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provides two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.

show abstract

“…We believe that this IFC mechanism could also be enforced using the hardware mechanisms we describe here. A recently proposed technique for instruction-based scheduling [17,88] is aimed at preventing leaks via the internal timing side-channel (e.g., malicious code sharing the same processor inferring secrets through timing variations arising from cache misses). This could probably be adapted to SAFE, and since the SAFE processor is very simple the mitigation could work well [24].…”

Section: Related Workmentioning

confidence: 99%

A verified information-flow architecture

Amorim

¹

,

Collins

²

,

DeHon

³

et al. 2016

JCS

View full text Add to dashboard Cite

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model.We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

show abstract

“…We believe that this IFC mechanism could also be enforced using the hardware mechanisms we describe here. A recently proposed technique for instruction-based scheduling [17,88] is aimed at preventing leaks via the internal timing side-channel (e.g., malicious code sharing the same processor inferring secrets through timing variations arising from cache misses). This could probably be adapted to SAFE, and since the SAFE processor is very simple the mitigation could work well [24].…”

Section: Related Workmentioning

confidence: 99%

A verified information-flow architecture

Amorim

¹

,

Collins

²

,

DeHon

³

et al. 2014

View full text Add to dashboard Cite

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model.We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

show abstract

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Cited by 9 publications

References 27 publications

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

A verified information-flow architecture

A verified information-flow architecture

Contact Info

Product

Resources

About