Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim, Arthur Azevedo de; Dénès, Maxime; Giannarakis, Nick; Hriţcu, Cătălin; Pierce, Benjamin C.; Spector-Zabusky, Antal; Tolmach, Andrew

doi:10.1109/sp.2015.55

Cited by 36 publications

(31 citation statements)

References 63 publications

(112 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, to help enforce security, the target-level linker could disallow linking with a suspicious context (e.g., one that is not welltyped [1,7,8,9,71]) or could always allow linking but introduce protection barriers between the program and the context (e.g., by instrumenting the program [35,71] or the context [5,95,96] to introduce dynamic checks). Similarly, the semantics of the target language can include various protection mechanisms (e.g., processes with different virtual address spaces [25,50,59,81,82], protected enclaves [76], capabilities [30,40,90,98], tags [5,14]). Finally, the compiler might have to refrain from aggressive optimizations that would break security [19,38,89].…”

Section: Robust Trace Property Preservation (Rtp)mentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program's data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce.We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.(∀C T . ∀t 1 , .., t k , ..(∀i.C T [P i ] t i ) ⇒ (t 1 , .., t k , ..) ∈ R)

show abstract

Section: Robust Trace Property Preservation (Rtp)mentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Using plain integers as tags allows us to delegate their interpretation entirely to software. In this paper we focus solely on using tags to implement IFC labels, although they could also be used for enforcing other policies, such as type and memory safety or control-flow integrity [9,35]. For instance, to implement the two-point abstract lattice with ⊥ ≤ , we could use 0 to represent ⊥ and 1 to represent , making the operations ∨ and ≤ easy to implement (see Section 6).…”

Section: Concrete Machinementioning

confidence: 99%

“…A key feature of SAFE is that every piece of data, down to the word level, is annotated with a tag representing policies that govern its use. While the tagging mechanism is very general [9,35], one particularly interesting use of tags is for representing information-flow control (IFC) policies. For example, an individual record might be tagged "This information should only be seen by principals Alice or Bob," a function pointer might be tagged "This code is trusted to work with Carol's secrets," or a string might be tagged "This came from the network and has not been sanitized yet."…”

Section: Introductionmentioning

confidence: 99%

“…In the latter case, an appropriate rule instance specifying tags for the instruction's results is added to the cache, and the faulting instruction is restarted. Thus, the hardware is generic and the interpretation of policies (e.g., IFC, memory safety or control flow integrity [9,35]) is programmed in software, with the results cached in hardware for common-case efficiency.…”

Section: Introductionmentioning

confidence: 99%

“…• a more extensive discussion of related work, including more recent work on transplanting the tagging mechanism of SAFE onto a mainstream RISC processor [30] and using it to enforce properties beyond IFC [9,35].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A verified information-flow architecture

et al. 2014

Self Cite

View full text Add to dashboard Cite

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model.We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

show abstract

Principles of Secure Processor Architecture Design

Szefer

2019

Synthesis Lectures on Computer Architecture

View full text Add to dashboard Cite

show abstract

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Cited by 36 publications

References 63 publications

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

A verified information-flow architecture

Principles of Secure Processor Architecture Design

Contact Info

Product

Resources

About