Micro-Policies: Formally Verified, Tag-Based Security Monitors

Arthur Azevedo de Amorim, Maxime Denes, Nick Giannarakis, Catalin Hritcu, Benjamin C. Pierce, Antal Spector-Zabusky, Andrew Tolmach
2015 2015 IEEE Symposium on Security and Privacy  
Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show
more » ... how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller. Abstract machine specification for micro-policy P Symbolic machine instance for P Concrete machine running policy monitor for P Symbolic machine Concrete machine Symbolic micro-policy (tags, transfer function, and monitor services) for P Monitor code (transfer function and monitor services) for P refines refines Generic components Micro-policy-specific components Generic miss handler abstract symbolic concrete
doi:10.1109/sp.2015.55 dblp:conf/sp/AmorimDGHPST15 fatcat:h3c43yx4ofblzhmkl7d64h2h5q