Proving full-system security properties under multiple attacker models on capability machines

Strydonck, Thomas Van; Georges, Aïna Linn; Guéneau, Armaël; Trieu, Alix; Timany, Amin; Piessens, Frank; Birkedal, Lars; Devriese, Dominique

doi:10.1109/csf54842.2022.9919645

Cited by 3 publications

(18 citation statements)

References 29 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As demonstrated before [25,26,52], such a UC is agnostic of software abstractions but supports reasoning about untrusted code. Essentially, one can register integrity properties of trusted code as invariants 2 , and then use the UC for justifying jumps to untrusted code.…”

Section: Capability Safety For Minimalcapsmentioning

confidence: 88%

“…A word on the machine is either an integer or a capability and these can be stored in general-purpose registers (GPRs) and in memory. MinimalCaps supports memory and object capabilities, a superset of what is supported in Cerise [25,26,52].…”

Section: Capability Machinesmentioning

confidence: 99%

“…Syntactic properties like capability monotonicity [37], which expresses that the transitively available authority cannot increase during execution, have been shown insufficient in the presence of object capabilities [18]. Therefore, we use a semantic formulation of capability safety based on logical relations [18,25,26,48,50,52] and formulate the property as a contract over the fdeCycle, following Cerise [25,26,52]. The contract states that if we start from a configuration of safe values, arbitrary code will not be able to exceed the authority of those values.…”

Section: Capability Safety For Minimalcapsmentioning

confidence: 99%

“…Using universal contracts for generally specifying ISA security guarantees requires (1) a program logic that is sufficiently expressive to express guarantees of a broad range of ISAs, and (2) a verification methodology that can verify the contracts in a semi-automated way against authoritative, engineer-friendly ISA definitions, which are typically implemented as definitional interpreters [e.g., 4,10]. Universal contracts for ISAs have already been used for capturing the capability safety property of capability machine ISAs [26,48,52], and integrity and confidentiality properties of Armv7 [16,33], but neither approach reconciles these two essential requirements. In the capability machine setting, the universal contracts have a very specific shape: a logical relation is used to define the authority represented by a capability and the universal contract is presented as the fundamental property of the logical relation.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Huyghebaert,

Keuchel,

De Roover

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Progress has recently been made on specifying instruction set architectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, general method for formally specifying an ISA's security guarantees to (1) balance the needs of ISA implementations (hardware) and clients (software), ( 2) can be semiautomatically verified to hold for the ISA operational semantics, producing a high-assurance mechanically-verifiable proof, and (3) support informal and formal reasoning about security-critical software in the presence of adversarial code. Our method leverages universal contracts: software contracts that express bounds on the authority of arbitrary untrusted code. Universal contracts can be kept agnostic of software abstractions, and strike the right balance between requiring sufficient detail for reasoning about software and preserving implementation freedom of ISA designers and CPU implementers. We semi-automatically verify universal contracts against Sail implementations of ISA semantics using our Katamaran tool; a semi-automatic separation logic verifier for Sail which produces machine-checked proofs for successfully verified contracts. We demonstrate the generality of our method by applying it to two ISAs that offer very different security primitives:(1) MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat simplified) version of RISC-V with PMP. We verify a femtokernel using the security guarantee we have formalized for RISC-V with PMP.

show abstract

Section: Capability Safety For Minimalcapsmentioning

confidence: 88%

Section: Capability Machinesmentioning

confidence: 99%

Section: Capability Safety For Minimalcapsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Huyghebaert,

Keuchel,

De Roover

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…The work of Georges et al [11], [12] and Skorstengaard et al [28], [29] prove a variety of stack safety properties that can be enforced on capability machines. Similarly, Van Strydonck et al [30] develop a library of verified wrappers around drivers leveraging capabilities for enforcing security properties. While these works also define and prove security properties about hardware, all their reasoning is done at the ISA level and must thus assume that the ISA is correctly implemented in hardware.…”

Section: F Quantitative Summary Of the Proof Effortmentioning

confidence: 99%

A Generic Framework to Develop and Verify Security Mechanisms at the Microarchitectural Level: Application to Control-Flow Integrity

Baty,

Wilke,

Hiet

et al. 2023

2023 IEEE 36th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. Copyright

show abstract

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Georges,

Guéneau,

Van Strydonck

et al. 2024

J. ACM

Self Cite

View full text Add to dashboard Cite

A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities , machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. The methodology we present underlies recent work of the authors on formal reasoning about capability machines [15, 33, 37], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.

show abstract

Proving full-system security properties under multiple attacker models on capability machines

Cited by 3 publications

References 29 publications

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

A Generic Framework to Develop and Verify Security Mechanisms at the Microarchitectural Level: Application to Control-Flow Integrity

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Contact Info

Product

Resources

About