A Temporal Logic Characterisation of Oservational Determinism

Huisman, Marieke; Worah, Pratik; Sunesen, Kim

doi:10.1109/csfw.2006.6

Cited by 51 publications

(110 citation statements)

References 19 publications

Supporting

Mentioning

108

Contrasting

Order By: Relevance

“…Zdancewic and Myers introduce observational low-determinism [46], which intuitively states that the observable behavior of concurrent systems must be deterministic. After this seminal work, several authors improve on each other's definitions on low-determinism (e.g., [14]). Other IFC systems rely on deterministic semantics and a determined class of runtime schedulers (e.g., [32]).…”

Section: Related Workmentioning

confidence: 99%

“…Several IFC systems, including [13,14,32,38,40,46], model internal timing attacks and address them by ensuring that the outcome of a race to a public resource does not depend on secret data. Unfortunately, these systems only account for resources explicitly modeled at the programming language level and not underlying OS or hardware state, such as the CPU cache or TLB.…”

Section: Cache Attacks and Countermeasuresmentioning

confidence: 99%

“…Our scheduler can be used to implement other concurrent IFC systems which implicitly assume instruction-level scheduling (e.g., [13,14,32,38,46]). We implement our instruction-based scheduler as part of the Glasgow Haskell Compiler (GHC) runtime system, atop which LIO and Hails are built.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Stefan

Buiras

Yang

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails' underlying IFC system preserve non-interference in the presence of caches.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Cache Attacks and Countermeasuresmentioning

confidence: 99%

See 1 more Smart Citation

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Stefan

Buiras

Yang

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In a concurrent setting, Huisman et al (2006) have recently proposed a characterization of observational determinism (Zdancewic and Myers 2003) using self-composition. Their characterization uses temporal logics and is thus amenable to model-checking after a suitable program abstraction has been constructed.…”

Section: Related Workmentioning

confidence: 99%

Secure information flow by self-composition

Barthe¹,

D’Argenio²,

Rezk³

2011

Math. Struct. Comp. Sci.

172

215

View full text Add to dashboard Cite

Information flow policies are confidentiality policies that control information leakage through program execution. A common means to enforce secure information flow is through information flow type systems. Although type systems are compositional and usually enjoy decidable type checking or inference, their extensibility is very poor: type systems need to be redefined and proven sound for each new single variation of security policy and programming language for which secure information flow verification is desired. In contrast, program logics offer a general mechanism to enforce a variety of safety policies, and for this reason are favored in Proof Carrying Code, a promising security architecture for mobile code. However, the encoding of information flow policies in program logics is not straightforward, because they refer to a relation between two program executions. The purpose of this paper is to investigate logical formulations of secure information flow based on the idea of self-composition, that reduces the problem of secure information flow of a program P to a safety property for a programP derived from P , by composing P with a renaming of itself. Self-composition enables the use of standard techniques for information flow policies verification, such as program logics and model checking, suitable in Proof Carrying Code infrastructures. We illustrate the applicability of self-composition in several settings, including different security policies such as non-interference and controlled forms of declassification, and programming languages such as an imperative language with parallel composition, a non-deterministic language, and finally a language with shared mutable data structures.

show abstract

“…Intuitively, observational determinism expresses that a multi-threaded program is secure when its publicly observable traces are deterministic and independent of its private data. Several formal definitions are proposed in the literature, e.g., by [96,48,87], but none of them captures this intuition exactly, i.e., they accept insecure programs, since their formalizations of deterministic behavior are not precise. Besides, these definitions also claim that they are schedulerindependent, i.e, they are resistant to refinement attacks.…”

Section: Non-deterministic Multi-threaded Programsmentioning

confidence: 99%

Qualitative and quantitative information flow analysis for multi-threaded programs

Ngo¹

View full text Add to dashboard Cite

A Temporal Logic Characterisation of Oservational Determinism

Cited by 51 publications

References 19 publications

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Secure information flow by self-composition

Qualitative and quantitative information flow analysis for multi-threaded programs

Contact Info

Product

Resources

About