nickel a framework for design and verification of
play

Nickel: A framework for design and verification of information flow - PowerPoint PPT Presentation

Sep 17, 2023 •418 likes •749 views

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

  1. Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day � 1

  2. Motivation: high verification burden • Verification is effective at eliminating bugs • Requires expertise • Large time investment � 2

  3. Approach: push-button verification Crash-safe filesystems (Python) Yggdrasil OSDI 2016 Small OS kernel (C, memory isolation) Hyperkernel SOSP 2017 Information flow control systems Nickel OSDI 2018 � 3

  4. Information flow control systems

  7. Goal: eliminate covert channels from systems • Covert channel (Lampson ’73) : unintended flow between system components • Approach : verification-driven development • Verify noninterference for interface specification • Verify refinement for implementation • Limitations : no physical channels; no concurrency � 7

  8. Contributions • Formulation of noninterference amenable to automated verification • Nickel is a framework for verifying IFC systems. • Applied Nickel to verify systems including • NiStar: first formally verified DIFC OS kernel • ARINC 653 communication interface: avionics kernel standard � 8

  9. Example covert channel: resource names Policy : process A and process B should not communicate Interface : spawn system call returns sequential PIDs Try to violate policy by sending a secret (in this case, 2) to process B 2 Process A Process B � 9

  10. Example covert channel: resource names Policy : process A and process B should not communicate Interface : spawn system call returns sequential PIDs Process A Process B 6-3-1= 2 spawn → 3 spawn → 4 spawn → 5 spawn → 6 � 10

  11. Noninterference intuition Process A Process A Process B Process B spawn → 4 spawn → 5 spawn → 6 spawn → 3 Process B Process B spawn → 4 spawn → 3 � 11

  12. Noninterference intuition Many kinds of covert channels Process A Process A • Resource names and exhaustion Process B Process B spawn → 4 spawn → 5 spawn → 6 spawn → 3 • Statistical information • Error handling • Scheduling Process B Process B • Devices and services spawn → 4 spawn → 3 � 12

  13. Noninterference For any trace tr, action a, removing “irrelevant” actions should not affect the output of a. output ( run ( init , tr ), a ) = output ( run ( init , purge* ( tr , a )), a ) � 13

  14. Information flow policies in Nickel D : Set A set of domains A can-flow-to relation specifying permitted ⇝ ⊆ ( D × D ) flows among domains A function mapping an dom : ( A × S ) → D action in a state to a domain pid 1 pid 2 pid n � 14

  15. Automated verification of noninterference Proof strategy : unwinding conditions • Together imply noninterference • Reason about one action at a time • Amenable to SMT solving using Z3 v I ( s ) ∧ ¬( dom ( a , s ) ⇝ v ) → s ≈ step(s, a) Local respect I ( s ) ∧ I ( t ) ∧ s dom ( a , s ) Output consistency t → output ( s , a ) = output ( t , a ) ≈ ≈ t ∧ s dom ( a , s ) Weak step consistency u u t → step(s, a) ≈ step ( t , a ) I ( s ) ∧ I ( t ) ∧ s ≈ � 15

  16. Nickel workflow Counterexample Design Verify interface Interface Specify interface against policy noninterference policy Counterexample Verify Implement implementation interface against interface Implementation noninterference and functional correctness � 16

  17. Programmer inputs Information flow policy Interface specification Observational equivalence � 17

  18. Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate pid 1 pid 2 pid n � 18

  19. Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate class State : current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def can_flow_to(domain1, domain2): # Flow only permitted if same domain return domain1 == domain2 def dom(action, state): # Domain of each action is current process return state.current pid 1 pid 2 pid n � 19

  20. Information flow policy Interface specification Observational equivalence def sys_spawn(old): Compute child pid child_pid = old.nr_procs + 1 Precondition for pre = child_pid <= NR_PROCS system call new = old.copy() Update system state new.nr_procs += 1 new.proc_status[child_pid] = RUNNABLE Return new state return pre, If (pre, new, old) � 20

  21. Information flow policy Interface specification Observational equivalence pid 4 State 1 ≈ State 2 current current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] � 21

  22. Information flow policy Interface specification Observational equivalence class State : current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def obs_eqv(domain, state1, state2): return And( state1.current == state2.current, state1.nr_procs == state2.nr_procs, state1.proc_status[domain.pid] == state2.proc_status[domain.pid] ) pid 4 State 1 ≈ State 2 current current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] � 22

  23. Systems verified using Nickel Component NiStar NiKOS ARINC 653 Information flow policy 26 14 33 Interface specification 714 82 240 Observational equivalence 127 56 80 Implementation 3,155 343 — User-space implementation 9,348 389 — Common kernel infrastructure 4,829 (shared by NiStar/NiKOS) — � 23

  24. Demo

  25. spawn example pid 1 pid 2 pid n � 25

  26. tainting example send(B, 12) Process A Process B Process C Process D Value: 0 Value: 42 Value: 3 Value: 5 Level: tainted Level: untainted Level: untainted Level: tainted � 26

  27. tainting example send(B, 12) Process A Process B Process C Process D Value: 0 Value: 12 Value: 3 Value: 5 Level: tainted Level: tainted Level: untainted Level: tainted � 27

  28. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: secret_bit send(C, 1) Level: tainted Process B Value: 0 wait(1000) Process C Level: untainted if Value == 0: # secret is 0 Value: 0 else: # secret is 1 Level: untainted � 28

  29. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: 1 send(C, 1) Level: tainted Process B Value: 0 wait(1000) Process C Level: untainted if Value == 0: # secret is 0 Value: 1 else: # secret is 1 Level: untainted send(C, 1) � 29

  30. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: 0 send(C, 1) Level: tainted Process B Value: 0 send(B, 0) wait(1000) Process C Level: tainted if Value == 0: # secret is 0 Value: 0 else: # secret is 1 Level: untainted � 30

  31. Thanks! https://nickel.unsat.systems � 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

VLSI Design Verification and Test Simulation CMPE 646 Design Verification Simulation used for 1) design verification : verify the correctness of the design and 2) test verification. Design verification: Specification Critical or

426 views • 15 slides
POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel Conference, Perth 15 October 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel

275 views • 25 slides
Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary for a complete verification tool Allows objects in the verification environment to be extended Needs to express constraints Coverage

946 views • 80 slides
CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test, Fall 2006. 3 credits. Course Instructor: Dr. Jim Plusquellic, Professor of Computer Science &amp; Electrical Engineering Office: ECS 212,

760 views • 3 slides
POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers Site Tours August 2019 The Poseidon Proposition BLACK SWAN Ready to restart in less than 9 months at 8,000t nickel p.a. Primed to 3 year

708 views • 22 slides
Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design Verification Design Standards Design Verification Verification Methods Approaches State Machines Program Tracing Program Correctness

499 views • 3 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO General Meeting 15 July 2019 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations

582 views • 21 slides
Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but maximum10, minutes) presentation made by a student about a particular companys logistics operations, as collected through their own work

340 views • 3 slides
High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15 October 2019 ASX: SGQ Nickel Market What Changed in 2019 Predictions of a stronger nickel price proven to be correct UBS, Miners Price

223 views • 20 slides
Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav

Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav

Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav Fatehpuria Vineet Gupta 12/ 6/ 2005 ENPM 643 System Validation &amp; Verification 1 Agenda Background Project Description Floor Plan

340 views • 32 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

Advanced VLSI Design VLSI Simulation CMPE 414/CMSC 691x Overview Design Automation is essential in dealing with the complexity of IC design and verification. There are a wide range of tools available: Analysis and verification tools to

388 views • 16 slides
Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost Processing Mambare 2011/12 program discovers high-grade nickel Mambare Plateau: 20km north of Kokoda In 1999 Ananconda District, Oro Province

805 views • 21 slides
The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky State legislature passed a law to establish how school districts can fund their facilities. All school districts had to add a Nickel to their tax

353 views • 17 slides
iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline

iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline

iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline Introduction Use Case Model System Modeling, Analysis &amp; Design Requirements Specifications &amp; Constraints System Validation &amp;

153 views • 13 slides
Peg Burchinal University of North Carolina at Chapel Hill } Brief history of research on child

Peg Burchinal University of North Carolina at Chapel Hill } Brief history of research on child

Peg Burchinal University of North Carolina at Chapel Hill } Brief history of research on child care and it role in child care policy } Discuss growing concerns: modest quality effects and fade-out } Present our research addressing these

846 views • 42 slides
&amp; Parental Marital Quality Joseph P. Allen Joseph S. Tan Leah A. Grande University of

&amp; Parental Marital Quality Joseph P. Allen Joseph S. Tan Leah A. Grande University of

Predictors of Changing Attachment Security From 14 to 24: Autonomy Struggles, Supportive Behaviors &amp; Parental Marital Quality Joseph P. Allen Joseph S. Tan Leah A. Grande University of Virginia Collaborators: Farah Williams, Ph.D.

297 views • 27 slides
The Spatial Epidemiology of Pediatric Trauma: A Statewide Assessment Allison Ertl 1 , MS Yuhong

The Spatial Epidemiology of Pediatric Trauma: A Statewide Assessment Allison Ertl 1 , MS Yuhong

The Spatial Epidemiology of Pediatric Trauma: A Statewide Assessment Allison Ertl 1 , MS Yuhong Zhou 1 Kirsten Beyer 1 , PhD, MPH, MS Sergey Tarima 1 , PhD Jonathan I. Groner 2 , MD Laura D. Cassidy 1 , MS, PhD Pediatric Trauma Society Annual

415 views • 10 slides
A UNIVERSAL CHILD ALLOWANCE: A plan to reduce poverty and income instability among children in

A UNIVERSAL CHILD ALLOWANCE: A plan to reduce poverty and income instability among children in

A UNIVERSAL CHILD ALLOWANCE: A plan to reduce poverty and income instability among children in the United States H. Luke Shaefer, University of Michigan Sophie Collyer, Columbia University Greg Duncan, University of California Irvine Kathryn

413 views • 18 slides
A Three-Way Model for Collective Learning on Multi-Relational Data 28th International Conference

A Three-Way Model for Collective Learning on Multi-Relational Data 28th International Conference

Poster at Session P2 A Three-Way Model for Collective Learning on Multi-Relational Data 28th International Conference on Machine Learning Maximilian Nickel 1 Volker Tresp 2 Hans-Peter Kriegel 1 1 Ludwig-Maximilians Universitt, Munich 2 Siemens

372 views • 24 slides
INTEGRATING CRITICAL AREAS WITH SHORELINE AREAS PAW LAND USE BOOT CAMP 2019 PRESENTED BY DAN

INTEGRATING CRITICAL AREAS WITH SHORELINE AREAS PAW LAND USE BOOT CAMP 2019 PRESENTED BY DAN

INTEGRATING CRITICAL AREAS WITH SHORELINE AREAS PAW LAND USE BOOT CAMP 2019 PRESENTED BY DAN NICKEL AGENDA Introductions Brief history of GMA/SMA integration Breakdown of key issues / misconceptions Overview of jurisdictional

687 views • 22 slides
61A Lecture 21 Monday, October 15 Tree Recursion Tree-shaped processes arise whenever executing

61A Lecture 21 Monday, October 15 Tree Recursion Tree-shaped processes arise whenever executing

61A Lecture 21 Monday, October 15 Tree Recursion Tree-shaped processes arise whenever executing the body of a function entails making more than one call to that function. n: 1, 2, 3, 4, 5, 6, 7, 8, 9, ... , 35 fib(n): 0, 1, 1, 2,

505 views • 9 slides
THE NEW RNC MINERALS Delivering a New, High Quality Gold Producer in Western Australia TSX :

THE NEW RNC MINERALS Delivering a New, High Quality Gold Producer in Western Australia TSX :

THE NEW RNC MINERALS Delivering a New, High Quality Gold Producer in Western Australia TSX : RNX | OTCQX : RNKLF Investor Presentation September 2019 Disclaimer Cautionary Statements Concerning Forward-Looking Statements This

663 views • 28 slides

More recommend