Filters








541 Hits in 2.0 sec

Noninterference for Operating System Kernels [chapter]

Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Gerwin Klein
2012 Lecture Notes in Computer Science  
While intransitive noninterference is a natural property for any secure OS kernel to enforce, proving that the implementation of any particular general-purpose kernel enforces this property is yet to be  ...  In this paper we take a significant step towards this vision by presenting a machine-checked formulation of intransitive noninterference for OS kernels, and its associated sound and complete unwinding  ...  Acknowledgements We thank Kai Engelhardt, Sean Seefried, and Timothy Bourke for their comments on earlier drafts of this paper.  ... 
doi:10.1007/978-3-642-35308-6_12 fatcat:6ungrww2brhyfephpjgptbfm5a

Modeling Information Routing With Noninterference

Ruud Koolen, Julien Schmaltz
2016 International Conference on High Performance Embedded Architectures and Compilers  
These extensions enable the reasoning at an abstract level built on top of noninterference, at a much finer level than allowed by base noninterference.  ...  To achieve the highest levels of assurance, systems based on the MILS architecture need to be formally analysed.  ...  That is, an operating system can be considered a separation kernel if, for a given information flow policy , it can guarantee that the system as a whole satisfies the noninterference property no matter  ... 
doi:10.5281/zenodo.47980 dblp:conf/hipeac/KoolenS16 fatcat:nanskixuezeuxlowxctw4pot2q

Nickel: A Framework for Design and Verification of Information Flow Control Systems

Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang
2018 USENIX Symposium on Operating Systems Design and Implementation  
Our experience shows that Nickel is effective in identifying and ruling out covert channels, and that it can verify noninterference for systems with a low proof burden.  ...  Using Nickel, we have designed, implemented, and verified NiStar, the first OS kernel for decentralized information flow control that provides (1) a precise specification for its interface, (2) a formal  ...  We thank Nickolai Zeldovich and Ronghui Gu for answering our questions on HiStar and mCertiKOS, respectively.  ... 
dblp:conf/osdi/Sigurbjarnarson18 fatcat:hcsjyy2ijfc6zjibtohvyisreq

Typing illegal information flows as program effects

Ana Almeida Matos, José Fragoso Santos
2012 Proceedings of the 7th Workshop on Programming Languages and Analysis for Security - PLAS '12  
Our type and effect system provides a mechanism for deriving the flow kernel that characterizes the illegal flows that occur within a program, and which can be used to support runtime decisions of compliance  ...  To this end, sets of illegal information flows are represented as downward closure operators (here referred to as flow kernels) on a given lattice of security levels.  ...  Acknowledgments The authors would like to thank the Indes team at INRIA and all anonymous reviewers for discussions and comments that have improved the final outcome of the paper.  ... 
doi:10.1145/2336717.2336718 dblp:conf/pldi/MatosS12 fatcat:l7gnpj6yzvgo5iuimyd54a2tnq

High-Assurance Separation Kernels: A Survey on Formal Methods [article]

Yongwang Zhao, David Sanan, Fuyuan Zhang, Yang Liu
2017 arXiv   pre-print
Finally, four challenges and their possible technical directions for future research are identified, e.g. specification bottleneck, multicore and concurrency, and automation of full formal verification  ...  On the other hand, high-assurance separation kernels by formal methods still face big challenges.  ...  Reference Architecture of Separation Kernels. 1:4 Operating System Application Software Operating System Operating System Partition1 Partitionn ......  ... 
arXiv:1701.01535v1 fatcat:wivlgaqkmffc5nb2kalmpy77sy

Formal Framework For Mils Integration

Julien Schmaltz, Holger Blasum, Bruno Langenstein, Betrand Leconte, Kevin Müller, Freek Verbeek, Ruud Koolen
2016 Zenodo  
As an illustration of our approach, we formally model and analyse an example system inspired by the GWV Firewall.  ...  These extensions enable the reasoning at an abstract level built on top of noninterference, at a much finer level than allowed by base noninterference.  ...  That is, an operating system can be considered a separation kernel if, for a given information flow policy , it can guarantee that the system as a whole satisfies the noninterference property no matter  ... 
doi:10.5281/zenodo.57413 fatcat:mvqqomtiafcfxmyb3fkaagor6q

Noninterference for a Practical DIFC-Based Operating System

Maxwell Krohn, Eran Tromer
2009 2009 30th IEEE Symposium on Security and Privacy  
The Flume system is an implementation of decentralized information flow control (DIFC) at the operating system level.  ...  means of a noninterference proof in the Communicating Sequential Processes formalism.  ...  We thank them all for  ... 
doi:10.1109/sp.2009.23 dblp:conf/sp/KrohnT09 fatcat:fzhg7p7hqjf7hifqh4xxz3fmsa

A verified information-flow architecture

Arthur Azevedo de Amorim, Nathan Collins, André DeHon, Delphine Demange, Cătălin Hriţcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, Andrew Tolmach
2016 Journal of Computer Security  
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows.  ...  The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies.  ...  Smith, Deian Stefan, and Greg Sullivan for useful discussions and helpful feedback on early drafts. We also thank the anonymous reviewers for their insightful comments.  ... 
doi:10.3233/jcs-15784 fatcat:2gzaehcyhvbknd36qivbp3dtym

A verified information-flow architecture

Arthur Azevedo de Amorim, Nathan Collins, André DeHon, Delphine Demange, Cătălin Hriţcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, Andrew Tolmach
2014 Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL '14  
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows.  ...  The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies.  ...  Smith, Deian Stefan, and Greg Sullivan for useful discussions and helpful feedback on early drafts. We also thank the anonymous reviewers for their insightful comments.  ... 
doi:10.1145/2535838.2535839 dblp:conf/popl/AmorimCDDHPPPT14 fatcat:caghr7pxirdnfhhgs7seyz7jgu

A survey on formal specification and verification of separation kernels [article]

Yongwang Zhao
2016 arXiv   pre-print
Separation kernels are fundamental software of safety and security-critical systems, which provide to their hosted applications spatial and temporal separation as well as controlled information flows among  ...  The application of separation kernels in critical domain demands the correctness of the kernel by formal verification. To the best of our knowledge, there is no survey paper on this topic.  ...  Therefore, the concept of separation kernel is adopted in avionics as the kernel of partitioning operating systems for IMA.  ... 
arXiv:1508.07066v3 fatcat:o6rltzjp4vf4jeifjddfbtmuv4

Reasoning About Information Flow Security of Separation Kernels with Channel-based Communication [article]

Yongwang Zhao and David Sann and Fuyuan Zhang and Yang Liu
2015 arXiv   pre-print
As an industrial standard for separation kernels, ARINC 653 has been complied with by mainstream separation kernels.  ...  We provide a reusable formal specification and security proofs for separation kernels in Isabelle/HOL.  ...  State-event based noninterference [27] is usually chosen for verifying general purpose operating systems and separation kernels [20] .  ... 
arXiv:1510.05091v1 fatcat:dafdhql3rrc7rhxmmjj4gpxtrq

A Design and Verification Methodology for a TrustZone Trusted Execution Environment

Haiyong Sun, Hang Lei
2020 IEEE Access  
ACKNOWLEDGMENT We thank to the paper reviewers for their many valuable comments. We also thank to AJE for its linguistic assistance during the preparation of this manuscript.  ...  At the kernel level, the Linux kernel provides more complete system services, such as memory management, process management, network communication, and file system management, while the trusted kernel  ...  We define operational semantics for in Fig. 9 and use standard semantics for the remaining statements.  ... 
doi:10.1109/access.2020.2974487 fatcat:efkxklgmlbah5jbp4nxpegfyau

Automatic Derivation of Platform Noninterference Properties [chapter]

Oliver Schwarz, Mads Dam
2016 Lecture Notes in Computer Science  
The analysis is represented in HOL4 using a direct semantical embedding of noninterference, and does not use an explicit type system, in order to (i) minimize the trusted computing base, and to (ii) support  ...  For the verication of system software, information ow properties of the instruction set architecture (ISA) are essential.  ...  Fox, Roberto Guanciale, Nicolae Paladi, and the anonymous reviewers for their helpful comments.  ... 
doi:10.1007/978-3-319-41591-8_3 fatcat:c2m6q5xl3rhbvpsjkilo4dmjqm

A Verified Information-Flow Architecture [article]

Arthur Azevedo de Amorim, Nathan Collins, André DeHon, Delphine Demange, Catalin Hritcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, Andrew Tolmach
2016 arXiv   pre-print
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows.  ...  The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies.  ...  Similarly, operating systems with information-flow tracking have been a staple of the OS literature for over a decade [36, 54, 55, 66, 97, 97] .  ... 
arXiv:1509.06503v2 fatcat:ajryc67ilzhqbg2l435lpazaki

seL4: From General Purpose to a Proof of Information Flow Enforcement

T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, Xin Gao, G. Klein
2013 2013 IEEE Symposium on Security and Privacy  
Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8,830 lines of C code that implement seL4, and so rules out the possibility of invalidation  ...  This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control  ...  Chris North, the anonymous reviewers, Cȃtȃlin Hriţcu and Gernot Heiser for their feedback on earlier drafts of this paper.  ... 
doi:10.1109/sp.2013.35 dblp:conf/sp/MurrayMBGBSLGK13 fatcat:ixjwu5pzzncsjczh5rhptkwytu
« Previous Showing results 1 — 15 out of 541 results