a framework for design and verification of information flow …bornholt/papers/nickel-osdi18... ·...
TRANSCRIPT
![Page 1: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/1.jpg)
NickelA Framework for Design and Verification of
Information Flow Control Systems
Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney,
James Bornholt, Emina Torlak, and Xi Wang
.org
![Page 2: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/2.jpg)
Enforcing information flow control is critical
![Page 3: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/3.jpg)
![Page 4: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/4.jpg)
Covert channels through error codes
![Page 5: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/5.jpg)
Eliminating unintended flows is difficult
• Covert channels: A channel not intended for information flow [Lampson ‘73]
• Covert channels are often inherent in interface design
• Examples of covert channels in interfaces:• ARINC 653 avionics standard [TACAS ‘16]
• Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]
![Page 6: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/6.jpg)
Eliminating unintended flows is difficult
• Covert channels: A channel not intended for information flow [Lampson ‘73]
• Covert channels are often inherent in interface design
• Examples of covert channels in interfaces:• ARINC 653 avionics standard [TACAS ‘16]
• Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]
![Page 7: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/7.jpg)
• Extends prior work of push-button verification:• Yggdrasil [OSDI ‘16] & Hyperkernel [SOSP ‘17]
• Limitations• Finite interface, expressible using SMT.
• Hardware-based side channels not in scope and no concurrency.
Our approach: Verification-driven interface design
Specify policy Design interfaceVerify interface against policy
Counterexample
![Page 8: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/8.jpg)
Contributions
•New formulation and proof strategy for noninterference
•Nickel: A framework for design and verification of information flow control (IFC) systems
• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks
![Page 9: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/9.jpg)
Covert channel in resource names
Process 1 Process 2
Policy: Process 1 and Process 2 should not communicate
Design: Spawn with sequential PID allocation
![Page 10: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/10.jpg)
Covert channel in resource names
Process 1 Process 25
Design: Spawn with sequential PID allocation
Policy: Process 1 and Process 2 should not communicate
![Page 11: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/11.jpg)
Covert channel in resource names
Process 1 Process 25
11 spawn → 3
Design: Spawn with sequential PID allocation
Policy: Process 1 and Process 2 should not communicate
![Page 12: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/12.jpg)
Covert channel in resource names
Process 1 Process 25
11 spawn → 3
12spawn → 3+1
…
spawn → 3+5
Design: Spawn with sequential PID allocation
Policy: Process 1 and Process 2 should not communicate
![Page 13: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/13.jpg)
Covert channel in resource names
Process 1 Process 25
11 spawn → 3
12spawn → 3+1
…
spawn → 3+5
13 spawn → 3+5+1
Design: Spawn with sequential PID allocation
Policy: Process 1 and Process 2 should not communicate
![Page 14: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/14.jpg)
Covert channel in resource names
Thread 1 Thread 2
Policy: Thread 1 and Thread 2 should not communicate
5
11 spawn → 3
12spawn → 3+1
…
spawn → 3+5
13 spawn → 3+5+1
Design: Spawn with sequential PID allocation
Examples of covert channels•Resource names
•Resource exhaustion
• Statistical information
• Error handling
• Scheduling
•Devices and services
![Page 15: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/15.jpg)
Noninterference intuition
Process 2:spawn → 3
Process 1:spawn 5 times
Process 2:spawn → 9
![Page 16: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/16.jpg)
Noninterference intuition
Process 2:spawn → 3
Process 1:spawn 5 times
Process 2:spawn → 9
Process 2:spawn → 3
Process 2:spawn → 4
![Page 17: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/17.jpg)
Noninterference intuition
Process 2:spawn → 3
Process 1:spawn 5 times
Process 2:spawn → 9
Process 2:spawn → 3
Process 2:spawn → 4
Process 1 interferes with Process 2
![Page 18: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/18.jpg)
Information flow policies in Nickel
• Set of domains 𝒟: e.g., processes
• Can-flow-to relation ⇝⊆ (𝒟 × 𝒟): permitted flow between domains
• Function dom: (𝐴 × 𝑆) → 𝒟: maps an action and state to a domain
![Page 19: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/19.jpg)
Information flow policies in Nickel
• Set of domains 𝒟: e.g., processes
• Can-flow-to relation ⇝⊆ (𝒟 × 𝒟): permitted flow between domains
• Function dom: (𝐴 × 𝑆) → 𝒟: maps an action and state to a domain
Flexible definition enables broad set of policies
• Can-flow-to relation can be intransitive
• State dependent dom
![Page 20: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/20.jpg)
Noninterference definition
sources 𝜖, 𝑢, 𝑠 ≔ 𝑢
sources 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠 ≔ ቐsources 𝑡𝑟, 𝑢, step 𝑠, 𝑎 ∪ dom 𝑎, 𝑠 if ∃𝑣 ∈ sources(𝑡𝑟, 𝑢, step 𝑠, 𝑎 . dom 𝑎, 𝑠 ⇝ 𝑢
sources 𝑡𝑟, 𝑢, step 𝑠, 𝑎 otherwise
purge 𝜖, 𝑢, 𝑠 ≔ 𝜖
purge 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠 ≔ ቐ𝑎 ∘ tr′ 𝑡𝑟′ ∈ purge 𝑡𝑟, 𝑢, step 𝑠, 𝑎 } if dom 𝑎, 𝑠 ∈ sources 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠
𝑎 ∘ tr′ 𝑡𝑟′ ∈ purge 𝑡𝑟, 𝑢, step 𝑠, 𝑎 } ∪ purge(𝑡𝑟, 𝑢, 𝑠) otherwise
∀ 𝑡𝑟′ ∈ purge 𝑡𝑟, dom 𝑎, run init, 𝑡𝑟 , init . output run init,𝑡𝑟 ,𝑎 = output run(init, 𝑡𝑟′ , 𝑎)
![Page 21: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/21.jpg)
Given a policy, purging actions “irrelevant” to a domain should not affect the output of
the actions for that domain
![Page 22: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/22.jpg)
Automated verification of noninterference
• ℐ init ∧ ℐ 𝑠 ⇒ ℐ step 𝑠, 𝑎
• ≈𝑢
is reflexive, symmetric, and transitive
• ℐ 𝑠 ∧ ℐ 𝑡 ∧ 𝑠 ≈𝑢𝑡 ⇒ (dom 𝑎, 𝑠 ⇝ 𝑢 ⇔ dom 𝑎, 𝑡 ⇝ 𝑢)
• ℐ 𝑠 ∧ dom 𝑎, 𝑠 ⇝ 𝑢 ⇒ s ≈𝑢step(𝑠, 𝑎)
![Page 23: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/23.jpg)
Automated verification of noninterference
• ℐ init ∧ ℐ 𝑠 ⇒ ℐ step 𝑠, 𝑎
• ≈𝑢
is reflexive, symmetric, and transitive
• ℐ 𝑠 ∧ ℐ 𝑡 ∧ 𝑠 ≈𝑢𝑡 ⇒ (dom 𝑎, 𝑠 ⇝ 𝑢 ⇔ dom 𝑎, 𝑡 ⇝ 𝑢)
• ℐ 𝑠 ∧ dom 𝑎, 𝑠 ⇝ 𝑢 ⇒ s ≈𝑢step(𝑠, 𝑎)
Proof strategy: unwinding conditions• Together imply noninterference• Requires reasoning only about individual actions• Amenable to automated reasoning using SMT
![Page 24: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/24.jpg)
Outline
•New formulation and proof strategy for noninterference
•Nickel: A framework for design and verification of information flow control (IFC) systems
• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks
![Page 25: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/25.jpg)
Verification-driven interface design in Nickel
Specify policy
1
Design interface
2Verify interface against policy
3
Counterexample
![Page 26: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/26.jpg)
Verification-driven interface design in Nickel
Specify policy
1
Design interface
2Verify interface against policy
3
Counterexample
Implement interface
4Verify implementation
against interface
5
![Page 27: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/27.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 28: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/28.jpg)
Interface specification
Information flow policy
Trusted
pid 1 pid 2 ... pid n
Policy:n processes that are not allowed to communicate with each other
Observation function
![Page 29: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/29.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 30: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/30.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 31: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/31.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 32: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/32.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 33: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/33.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 34: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/34.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 35: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/35.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 36: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/36.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 37: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/37.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 38: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/38.jpg)
Interface specification
Information flow policy
Trusted
Observation function
![Page 39: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/39.jpg)
Information flow policy
Observation function
Trusted
Interface specification
![Page 40: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/40.jpg)
Information flow policy
Observation function
Trusted
Interface specification
![Page 41: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/41.jpg)
Information flow policy
Observation function
Trusted
Interface specification
![Page 42: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/42.jpg)
Information flow policy
Observation function
Trusted
Interface specification
![Page 43: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/43.jpg)
Nickel verifier
SMT
Information flow policy
Observation function
Trusted
Interface specification
![Page 44: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/44.jpg)
Nickel verifier
SMT
Information flow policy
Trusted
Interface specification
Counter-example
Channel
Observation function
![Page 45: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/45.jpg)
Nickel verifier
SMT
Information flow policy
Trusted Counter-example
Bug
Interface specification
• Partition names among domains
• Reduce flows to the scheduler
• Perform flow checks early
• Limit resource usage with quotas
• Encrypt names from a large space
• Expose or enclose nondeterminism
Design patterns
Observation function
![Page 46: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/46.jpg)
Nickel verifier
SMT
Information flow policy
Trusted Counter-example
Bug
Interface specification
Observation function
![Page 47: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/47.jpg)
Nickel verifier
SMT
Information flow policy
Trusted Counter-example
Bug
Interface specification
Observation function
![Page 48: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/48.jpg)
Nickel verifier
SMT
Information flow policy
Trusted
Interface specification
Counter-example
Channel
Observation function
![Page 49: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/49.jpg)
Nickel verifier
SMT
Information flow policy
Trusted
Interface specification
Counter-example
Channel
Verified
Observation function
![Page 50: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/50.jpg)
Outline
•New formulation and proof strategy for noninterference
•Nickel: A framework for design and verification of information flow control (IFC) systems
• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks
![Page 51: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/51.jpg)
Decentralized information flow control (DIFC)
• Flexible mechanism to enforce security policies [SOSP ’97]• Each object assigned labels for tracking and mediating data access
• Several operating system kernels enforce DIFC:• Asbestos [SOSP ’05] • HiStar [OSDI ’06]• Flume [SOSP ’07]
• Our goal: Build a DIFC OS kernel without any covert channels
![Page 52: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/52.jpg)
NiStar: First verified DIFC OS
• Resembles an exokernel with finite interface design• 46 system calls and exception handlers
• Supports musl C stdlib using Linux emulation, file system, lwip network service
• Enforces information flow among small number of object types
• Labels, containers, threads, gates, page-table pages, user pages, quanta
• Each object is assigned three labels: Secrecy 𝑆, integrity 𝐼, ownership 𝑂
• Simple policy: Given two objects with domains ℒ1 and ℒ2:
• ℒ1 = ⟨𝑆1, 𝐼1 , 𝑂1⟩, ℒ2 = ⟨𝑆2, 𝐼2, 𝑂2⟩
• ℒ1 ⇝ ℒ2 ≔ (𝑆1 − 𝑂1 ⊆ 𝑆2 ∪𝑂2) ∧ (𝐼2 −𝑂2 ⊆ 𝐼1 ∪ 𝑂1)
![Page 53: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/53.jpg)
NiStar Scheduler
• New object types to close channel in scheduler
NiStar closes logical time channel in scheduler
![Page 54: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/54.jpg)
Other systems
Subset of ARINC 653
• Industrial standard for avionics systems
• Reproduced three known bugs in the specification
NiKOS:
• Small Unix-like OS kernel mirroring mCertiKOS [PLDI ‘16]
• Process isolation policy
![Page 55: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/55.jpg)
Implementation
Component NiStar NiKOS ARINC 653
Information flow policy 26 14 33
Interface specification 714 82 240
Observational equivalence 127 56 80
Interface implementation 3,155 343 -
User-space implementation 9,348 389 -
Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)
![Page 56: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/56.jpg)
Implementation
Component NiStar NiKOS ARINC 653
Information flow policy 26 14 33
Interface specification 714 82 240
Observational equivalence 127 56 80
Interface implementation 3,155 343 -
User-space implementation 9,348 389 -
Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)
Concise policy
![Page 57: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/57.jpg)
Low proof burden
• NiStar:• Six months for the first prototype implementation• Six weeks on verification
• NiKOS: two weeks
• ARINC 653: one week
![Page 58: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control](https://reader034.vdocuments.mx/reader034/viewer/2022051904/5ff63985e172553ad048ff4a/html5/thumbnails/58.jpg)
Conclusion
•Verification-driven interface design• Systematic way to design secure interfaces
• Interactive workflow with counterexample-based debugging
• First verified DIFC system• Low proof burden
https://nickel.unsat.systems