ni nickel
play

Ni Nickel A Framework for Design and Verification of Information - PowerPoint PPT Presentation

Dec 25, 2023 •423 likes •1.02k views

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

  1. Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org

  2. Enforcing information flow control is critical

  4. Covert channels through error codes

  5. Eliminating unintended flows is difficult • Covert channels: A channel not intended for information flow [Lampson ‘73] • Covert channels are often inherent in interface design • Examples of covert channels in interfaces: • ARINC 653 avionics standard [TACAS ‘16] • Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

  6. Eliminating unintended flows is difficult • Covert channels: A channel not intended for information flow [Lampson ‘73] • Covert channels are often inherent in interface design • Examples of covert channels in interfaces: • ARINC 653 avionics standard [TACAS ‘16] • Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

  7. Our approach: Verification-driven interface design Verify interface Specify policy Design interface against policy Counterexample • Extends prior work of push-button verification: • Yggdrasil [ OSDI ‘ 16] & Hyperkernel [ SOSP ‘17 ] • Limitations • Finite interface, expressible using SMT. • Hardware-based side channels not in scope and no concurrency.

  8. Contributions • New formulation and proof strategy for noninterference • Nickel : A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

  9. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation Process 1 Process 2

  10. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2

  11. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1

  12. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1 spawn → 3+1 … 2 1 spawn → 3+5

  13. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1 spawn → 3+1 … 2 1 spawn → 3+5 spawn → 3+ 5 +1 3 1

  14. Covert channel in resource names Examples of covert channels Policy: Thread 1 and Thread 2 should not communicate • Resource names Design: Spawn with sequential PID allocation • Resource exhaustion 5 Thread 1 Thread 2 • Statistical information spawn → 3 1 1 • Error handling spawn → 3+1 • Scheduling … 2 1 spawn → 3+5 • Devices and services spawn → 3+ 5 +1 3 1

  15. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times

  16. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times Process 2: Process 2: spawn → 3 spawn → 4

  17. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times Process 2: Process 2: spawn → 3 spawn → 4 Process 1 interferes with Process 2

  18. Information flow policies in Nickel • Set of domains 𝒠 : e.g., processes • Can-flow-to relation ⇝ ⊆ (𝒠 × 𝒠) : permitted flow between domains • Function dom: (𝐵 × 𝑇) → 𝒠 : maps an action and state to a domain

  19. Information flow policies in Nickel • Set of domains 𝒠 : e.g., processes Flexible definition enables broad set of policies • Can-flow-to relation ⇝ ⊆ (𝒠 × 𝒠) : permitted flow between domains • Can-flow-to relation can be intransitive • State dependent dom • Function dom: (𝐵 × 𝑇) → 𝒠 : maps an action and state to a domain

  20. Noninterference definition sources 𝜗, 𝑣, 𝑡 ≔ 𝑣 sources 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 ≔ ቐsources 𝑢𝑠, 𝑣, step 𝑡, 𝑏 ∪ dom 𝑏, 𝑡 if ∃𝑤 ∈ sources(𝑢𝑠, 𝑣, step 𝑡, 𝑏 . dom 𝑏, 𝑡 ⇝ 𝑣 sources 𝑢𝑠, 𝑣, step 𝑡, 𝑏 otherwise purge 𝜗, 𝑣, 𝑡 ≔ 𝜗 𝑢𝑠 ′ ∈ purge 𝑢𝑠, 𝑣, step 𝑡, 𝑏 ≔ ቐ 𝑏 ∘ tr ′ } if dom 𝑏, 𝑡 ∈ sources 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 purge 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 𝑢𝑠 ′ ∈ purge 𝑢𝑠, 𝑣, step 𝑡, 𝑏 𝑏 ∘ tr ′ } ∪ purge(𝑢𝑠, 𝑣, 𝑡) otherwise ∀ 𝑢𝑠 ′ ∈ purge 𝑢𝑠, dom 𝑏, run init,𝑢𝑠 ,init . output run init,𝑢𝑠 ,𝑏 = output run(init,𝑢𝑠 ′ ,𝑏)

  21. Given a policy, purging actions “irrelevant” to a domain should not affect the output of the actions for that domain

  22. Automated verification of noninterference • ℐ init ∧ ℐ 𝑡 ⇒ ℐ step 𝑡, 𝑏 𝑣 is reflexive, symmetric, and transitive • ≈ 𝑣 𝑢 ⇒ (dom 𝑏, 𝑡 ⇝ 𝑣 ⇔ dom 𝑏, 𝑢 ⇝ 𝑣) • ℐ 𝑡 ∧ ℐ 𝑢 ∧ 𝑡 ≈ 𝑣 step(𝑡,𝑏) • ℐ 𝑡 ∧ dom 𝑏, 𝑡 ⇝ 𝑣 ⇒ s ≈

  23. Automated verification of noninterference • ℐ init ∧ ℐ 𝑡 ⇒ ℐ step 𝑡, 𝑏 𝑣 is reflexive, symmetric, and transitive • ≈ Proof strategy: unwinding conditions • Together imply noninterference 𝑣 𝑢 ⇒ (dom 𝑏, 𝑡 ⇝ 𝑣 ⇔ dom 𝑏, 𝑢 ⇝ 𝑣) • Requires reasoning only about individual actions • ℐ 𝑡 ∧ ℐ 𝑢 ∧ 𝑡 ≈ • Amenable to automated reasoning using SMT 𝑣 step(𝑡,𝑏) • ℐ 𝑡 ∧ dom 𝑏, 𝑡 ⇝ 𝑣 ⇒ s ≈

  24. Outline • New formulation and proof strategy for noninterference • Nickel: A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

  25. Verification-driven interface design in Nickel 1 2 3 Verify interface Specify policy Design interface against policy Counterexample

  26. Verification-driven interface design in Nickel 1 2 3 Verify interface Specify policy Design interface against policy Counterexample 5 4 Verify implementation Implement against interface interface

  27. Trusted Information flow policy Interface specification Observation function

  28. Trusted Information flow Policy: policy n processes that are not allowed to communicate with each other Interface specification ... pid 1 pid 2 pid n Observation function

  29. Trusted Information flow policy Interface specification Observation function

  30. Trusted Information flow policy Interface specification Observation function

  31. Trusted Information flow policy Interface specification Observation function

  32. Trusted Information flow policy Interface specification Observation function

  33. Trusted Information flow policy Interface specification Observation function

  34. Trusted Information flow policy Interface specification Observation function

  35. Trusted Information flow policy Interface specification Observation function

  36. Trusted Information flow policy Interface specification Observation function

  37. Trusted Information flow policy Interface specification Observation function

  38. Trusted Information flow policy Interface specification Observation function

  39. Trusted Information flow policy Interface specification Observation function

  40. Trusted Information flow policy Interface specification Observation function

  41. Trusted Information flow policy Interface specification Observation function

  42. Trusted Information flow policy Interface specification Observation function

  43. Trusted Information flow policy Nickel SMT Interface specification verifier Observation function

  44. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Observation function

  45. Counter- Trusted Design patterns example Information flow policy Bug • Partition names among domains • Reduce flows to the scheduler Nickel SMT Interface • Perform flow checks early specification verifier • Limit resource usage with quotas • Encrypt names from a large space Observation function • Expose or enclose nondeterminism

  46. Counter- Trusted example Information flow policy Bug Nickel SMT Interface specification verifier Observation function

  47. Counter- Trusted example Information flow policy Bug Nickel SMT Interface specification verifier Observation function

  48. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Observation function

  49. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Verified Observation function

  50. Outline • New formulation and proof strategy for noninterference • Nickel: A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel Conference, Perth 15 October 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel

275 views • 25 slides
POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers Site Tours August 2019 The Poseidon Proposition BLACK SWAN Ready to restart in less than 9 months at 8,000t nickel p.a. Primed to 3 year

708 views • 22 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO General Meeting 15 July 2019 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations

582 views • 21 slides
Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but maximum10, minutes) presentation made by a student about a particular companys logistics operations, as collected through their own work

340 views • 3 slides
High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15 October 2019 ASX: SGQ Nickel Market What Changed in 2019 Predictions of a stronger nickel price proven to be correct UBS, Miners Price

223 views • 20 slides
Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost Processing Mambare 2011/12 program discovers high-grade nickel Mambare Plateau: 20km north of Kokoda In 1999 Ananconda District, Oro Province

805 views • 21 slides
The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky State legislature passed a law to establish how school districts can fund their facilities. All school districts had to add a Nickel to their tax

353 views • 17 slides
Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel Nickel Uses of Nickel Industry Consumption (%) Nickel is one of the most commonly used metals and can be 3% found in over 300,000 products for

399 views • 18 slides
POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting - 28 November 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel Limited

275 views • 25 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations encompassing the WAs sulphide

330 views • 21 slides
Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

ASX: RXL Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland - Managing Director 1 Who is Rox? An awarded Australian exploration company Strong Financial Positon: Cash of ~ $13 million & receivables of

553 views • 24 slides
The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David Ovadia Executive Chairman D i s c l a i m e r The information in this presentation, which does not purport to be comprehensive, has been provided

567 views • 8 slides
Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

ASX: MCR Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers Presentation Kalgoorlie August 2018 Important Notice Disclaimer This presentation has been prepared by Mincor Resources NL ( MCR ).

314 views • 20 slides
Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects TSX-V: CNC August 20, 2020 Forward Looking Statements This Presentation contains certain information that may constitute "forward-looking

774 views • 26 slides
Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel

Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel

CYPRUS 2016, 4 th International Conference on Sustainable Solid Waste Management, 23-25 June 2016, Limasol, Cyprus Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel electroplating effluents K.

444 views • 23 slides
Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects TSX-V: CNC May 28, 2020 Forward Looking Statements This Presentation contains certain information that may constitute "forward-looking

450 views • 24 slides
Multiprocessing (part 2) Ryan Eberhardt and Armin Namavari April 30, 2020 Project logistics

Multiprocessing (part 2) Ryan Eberhardt and Armin Namavari April 30, 2020 Project logistics

Multiprocessing (part 2) Ryan Eberhardt and Armin Namavari April 30, 2020 Project logistics Project (mini gdb) coming out tomorrow, due May 18 Youre also welcome to propose your own project! Run your idea by us before you start

847 views • 48 slides
Shared Objects & Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite

Shared Objects & Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite

Chapter 4 Shared Objects & Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite State Processes; FSP) Finite State Processes (FSP) can be defined using: P = x -> Q // action Q // other process variable

1.49k views • 123 slides
CS415: Systems Programming Process Related Systems Call (System, Fork, EXEC) Most of the slides

CS415: Systems Programming Process Related Systems Call (System, Fork, EXEC) Most of the slides

CS415: Systems Programming Process Related Systems Call (System, Fork, EXEC) Most of the slides in this lecture are either from or adapted from the slides provided by Dr. Ahmad Barghash Creating processes Method (1) using system The

235 views • 21 slides
Process Management: Synchronization Why? Examples What? The Critical Section Problem

Process Management: Synchronization Why? Examples What? The Critical Section Problem

CPSC-410/611 Operating Systems Process Synchronization Process Management: Synchronization Why? Examples What? The Critical Section Problem How? Software solutions Hardware-supported solutions The basic synchronization

389 views • 24 slides
Linked Open Data and MultilingualWeb-LT Requirements Pedro L. Dez Orzas (Linguaserve) Dublin,

Linked Open Data and MultilingualWeb-LT Requirements Pedro L. Dez Orzas (Linguaserve) Dublin,

Linked Open Data and MultilingualWeb-LT Requirements Pedro L. Dez Orzas (Linguaserve) Dublin, June 13th These categories are used primarily for controlling or indicating the state of the content production process: readin readiness

373 views • 10 slides
Introduction to self-similar growth-fragmentations Quan Shi CIMAT, 11-15 December, 2017 Quan Shi

Introduction to self-similar growth-fragmentations Quan Shi CIMAT, 11-15 December, 2017 Quan Shi

Introduction to self-similar growth-fragmentations Quan Shi CIMAT, 11-15 December, 2017 Quan Shi Growth-Fragmentations CIMAT, 11-15 December, 2017 1 / 34 Literature Jean Bertoin, Compensated fragmentation processes and limits of dilated

1.39k views • 93 slides
Process Dynamics, Variations and Controls in Software Engineering 1 Agenda Background

Process Dynamics, Variations and Controls in Software Engineering 1 Agenda Background

Process Dynamics, Variations and Controls in Software Engineering 1 Agenda Background Introduction Software process dynamics model Process capability versus process controls SDICC- Approach for Process Management

912 views • 15 slides
Quadratic Hawkes processes (for financial price series) Fat-tails and Time Reversal

Quadratic Hawkes processes (for financial price series) Fat-tails and Time Reversal

Quadratic Hawkes processes (for financial price series) Fat-tails and Time Reversal Asymmetry Pierre Blanc, Jonathan Donier, JPB (building on previous work with Rmy Chicheportiche & Steve Hardiman) Stylized facts I. Well

304 views • 19 slides

More recommend