Verifying that a compiler preserves concurrent value-dependent - - PowerPoint PPT Presentation

www.data61.csiro.au

Verifying that a compiler preserves concurrent value-dependent information-flow security

Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019

THE UNIVERSITY OF NEW SOUTH WALES

2 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

So you’ve proved your program doesn’t leak secrets…

No leaks!

2 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

So you’ve proved your program doesn’t leak secrets…

No leaks!

How do you know your compiler won’t introduce leaks?

2 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

So you’ve proved your program doesn’t leak secrets…

No leaks!

How do you know your compiler won’t introduce leaks? What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Here's how!

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Using confidentiality-preserving refinement

Here's how!

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Using confidentiality-preserving refinement

• 1. With a decomposition

principle

B I R R

= =

Here's how!

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(in Isabelle/HOL)

• 2. Applied to a compiler


Using confidentiality-preserving refinement

• 1. With a decomposition

principle

B I R R

= =

Here's how!

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

3 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(in Isabelle/HOL)

• 2. Applied to a compiler


Using confidentiality-preserving refinement

• 1. With a decomposition

principle

B I R R

= =

Here's how!

So you’ve proved your program doesn’t leak secrets…

What if your compiler could be proved to preserve it?

Our contributions

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html)

Prove a compiler preserves proofs of
 confidentiality — in an interactive theorem prover!

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html) (Specifically…)

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html) (Specifically…)

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html)

Motivation + Background: Murray et al. (CSF’16)

(Why all this?)

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html)

Motivation + Background: Murray et al. (CSF’16)

(Why all this?)

(Why it’s hard!)

4 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique) (Technique)

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html)

Motivation + Background: Murray et al. (CSF’16)

(Why still hard?)

Motivation

Confidentiality for modern software (CSF’16)

5

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

Doesn't leak secrets

(storage channels)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

Doesn't leak secrets

(storage channels)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

__________________

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

_________ __________________

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

_____________ __________________

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

__________________

• 3. Compositionally!


(per-thread effort)

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

__________________

• 3. Compositionally!


(per-thread effort) Beaumont et al.
 (ACSAC’16)

Example

(DSTG + Data61 collaboration)

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Unclassified

PROTECTED

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Unclassified

PROTECTED

… 😒 , 💹

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

SECRET,

PROTECTED,

• r Unclassified?

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_____________

SECRET,

PROTECTED,

• r Unclassified?

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_________

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Cross Domain
 Desktop Compositor
 (CDDC)

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_________

seL4-based software architecture

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_________

seL4-based software architecture

(Case study: simplified model)

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_________

seL4-based software architecture

(Case study: simplified model)

• 3. Compositionally!


(per-thread effort)

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

_________

seL4-based software architecture

(Case study: simplified model)

• 3. Compositionally!


(per-thread effort)

Motivation

Confidentiality for modern software (CSF’16)

Confidentiality

5

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

(storage channels)

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Confidentiality

• 1. Multiple moving parts


(well-synchronised)

Doesn't leak secrets

• 2. Mixed-sensitivity reuse


(of devices, space, etc.)

Concurrent value-dependent information-flow security

(storage channels)

• 3. Compositionally!


(per-thread effort)

Can a compiler preserve it?

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

This particularly
 makes it harder!

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

This particularly
 makes it harder!

Interference-resilience (tricky)

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11

This particularly
 makes it harder!

Interference-resilience (tricky)

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11

This particularly
 makes it harder!

Interference-resilience (tricky)

+

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11

This particularly
 makes it harder!

No storage leaks

Interference-resilience (tricky)

+

6

Concurrent value-dependent information-flow security

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

Volpano & Smith, CSFW’98

No storage leaks

Interference-resilience (tricky)

+

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

Volpano & Smith, CSFW’98

No storage leaks

Program A Program B

Minimal example:

Interference-resilience (tricky)

+

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

h isn’t assigned to anything h isn’t even here! _ _

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Program A Program B

Minimal example:

Interference-resilience (tricky)

+

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

____

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 v = 0

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 v = 0

/

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 v = 0

/ /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 v = 0

/ / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 l = 0 v = 0

/ / / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 l = 0 v = 1

/ / / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 h = 1 l = 0 v = 0

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 h = 1 l = 0 v = 0

/

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 h = 1 l = 0 v = 0

/ /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 h = 1 l = 0 v = 1

/ / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____

h = 0 h = 1 l = 0 l = 1 v = 1

/ / / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

Storage leak


• f h!

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____ ____

h = 0 h = 1 l = 0 l = 1 v = 1

/ / / /

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

Storage leak


• f h!

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks! Timing leak Storage leak

; skip Timing


fix

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____ ____ ____ ____

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

Storage leak


• f h!

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

; skip Timing


fix

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____ ____

Timing
 fix

skip But: Compiler may eliminate it!

Minimal example:

Interference-resilience (tricky)

+

Timing leak


• f h

Storage leak


• f h!

6

Concurrent value-dependent information-flow security

if (h) then skip else skip; skip fi v := 1 l := v

// Initially, v = 0

||

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Motivation

Why wouldn’t a compiler preserve it? (CSF’16)

Some extra stuff to preserve


(not that hard)

control variable contents
 (sensitivity-switching)

Murray et al. CSF’16

relies/guarantees
 (synchronisation)

Mantel et al. CSF’11


 Each thread must prevent (scheduler-relative) timing leaks!

; skip Timing


fix

(or, introduce new “if (h)”!)

This particularly
 makes it harder!

_

Volpano & Smith, CSFW’98

No storage leaks

Thread A Thread B

Schedule
 A, A, A, B, …

____ ____

Timing
 fix

skip But: Compiler may eliminate it!

Minimal example:

Interference-resilience (tricky)

+

• preserving refinement

Concurrent value-dependent information-flow security 1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

Program configurations

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

Relations
 (between)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

Program configurations

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

Relations
 (between) Execution
 steps

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

Program configurations

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

“Usual” refinement:

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

“Usual” refinement: 


A simulates C ⇒ C refines A

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

“Usual” refinement: 


A simulates C ⇒ C refines A

For-all

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

“Usual” refinement: 


A simulates C ⇒ C refines A

Exists For-all

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

From compiler
 front-end

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

?

Confidentiality-preserving refinement

“BC” “BC”

“BC”

AFP entry:

Dependent_SIFUM_Refinement

From compiler
 front-end For free ?

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

(Two-sided!)

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

For-all

1

Exists

(Two-sided!)

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

For-all

1

Exists

(Two-sided!)

For-all

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

2

Exists

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

For-all

1

Exists

(Two-sided!)

For-all

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

2

Exists

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

For-all

1

Exists

(Two-sided!)

For-all

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

2

Exists

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

7

Security proof
 (Bisimulation B) + ⇒ Security proof
 (Bisimulation BCof B R I) Compiler correctness proof (Refinement R)

Direction


• f


compilation

Abstract Concrete

Confidentiality-preserving refinement

AFP entry:

Dependent_SIFUM_Refinement

For-all

1

Exists

(Two-sided!)

For-all

From compiler
 front-end “For free”*

*

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Background

Why is it hard to prove? (CSF’16)

(Compare: Barthe et al. CSF’18)

8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

Goal

Our contributions

Plan: Use confidentiality-preserving refinement

8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

(Technique)

Goal Results

Our contributions

8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

• 2. Verified compiler

While-language to RISC-style assembly

B I R R

= =

(Technique)

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique)

8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

• 2. Verified compiler

While-language to RISC-style assembly

B I R R

= =

(Technique)

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

(Proof-of-concept
 for technique)

8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security

• 1. Decomposition principle

for confidentiality-preserving refinement

• 2. Verified compiler

While-language to RISC-style assembly

B I R R

= =

(Technique)

Goal Results

Our contributions

1st such proofs carried to assembly-level model by compiler

Impact

Proof effort almost halved!

(Proof-of-concept
 for technique)

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

A abs-steps A C A0

R R

C C0

1A 1A0 2A 2A0

B B I I R R R R

1C 1C0 2C 2C0

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

implies

( ⟹ )

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement

A abs-steps A C A0

R R

C C0

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement

“Pacing function” abs-steps
 for (refinement) relation R _____

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness!

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing

• 4. Closedness of


“Concrete coupling
 invariant” relation I


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing

• 4. Closedness of


“Concrete coupling
 invariant” relation I


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing

• 4. Closedness of


“Concrete coupling
 invariant” relation I


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

No new timing
 and termination leaks!

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

1A abs-steps 1A 1C = 2A abs-steps 2A 2C

B I R R

1C stops 1C = 2C stops 2C 1A 2A

B I I R R

1C 1 1C0 2C 2C0

The “cube”, decomposed

Simpler confidentiality-preserving refinement

9

• 1. “Usual” proof
• f refinement
• 2. Consistent pacing

• 4. Closedness of


“Concrete coupling
 invariant” relation I


“Pacing function” abs-steps
 for (refinement) relation R _____ _____ _____ Security witness
 (bisimulation) relation B

A abs-steps A C A0

R R

C C0

No new timing
 and termination leaks!

(+ “extra stuff” for conc, val-dep)

Standard compiler
 correctness! and


• 3. Consistent stopping

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Proof effort comparison

Refinement example (excerpt) from CSF’16

10

if h 6= 0 then x := y else x := y + z fi

reg3 := h; if reg3 6= 0 then skip; skip; reg0 := y; x := reg0 else reg1 := y; reg2 := z; reg0 := reg1 + reg2; x := reg0 fi

Abstract program Concrete program

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

formalisation artifact:

https://covern.org/itp19.html

Proof effort comparison

Refinement example (excerpt) from CSF’16

10

if h 6= 0 then x := y else x := y + z fi

reg3 := h; if reg3 6= 0 then skip; skip; reg0 := y; x := reg0 else reg1 := y; reg2 := z; reg0 := reg1 + reg2; x := reg0 fi

Abstract program Concrete program

_

_

branch


• n secret

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

formalisation artifact:

https://covern.org/itp19.html

Proof effort comparison

Refinement example (excerpt) from CSF’16

10

if h 6= 0 then x := y else x := y + z fi

reg3 := h; if reg3 6= 0 then skip; skip; reg0 := y; x := reg0 else reg1 := y; reg2 := z; reg0 := reg1 + reg2; x := reg0 fi

Abstract program Concrete program

padding
 to prevent
 timing leak

_

_

branch


• n secret

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

formalisation artifact:

https://covern.org/itp19.html

• 44% shorter proof of secure refinement


(~3.6K to ~2K lines of Isabelle/HOL proofs)

Proof effort comparison

Refinement example (excerpt) from CSF’16

10

if h 6= 0 then x := y else x := y + z fi

reg3 := h; if reg3 6= 0 then skip; skip; reg0 := y; x := reg0 else reg1 := y; reg2 := z; reg0 := reg1 + reg2; x := reg0 fi

Abstract program Concrete program

padding
 to prevent
 timing leak

_

_

branch


• n secret

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

formalisation artifact:

https://covern.org/itp19.html

(Proof-of-concept
 for technique)

11 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

Impact

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security 1st such proofs carried to assembly-level model by compiler

Impact

• 2. Verified compiler

While-language to RISC-style assembly

Proof effort almost halved!

(Technique)

(Proof-of-concept
 for technique)

11 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

Impact

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security 1st such proofs carried to assembly-level model by compiler

Impact

• 2. Verified compiler

While-language to RISC-style assembly

Proof effort almost halved!

(Technique)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

(Based on:
 Tedesco et al. CSF’16)

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

(Based on:
 Tedesco et al. CSF’16)

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

(Based on:
 Tedesco et al. CSF’16)

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

(Based on:
 Tedesco et al. CSF’16)

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Overview

12 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

An Isabelle/HOL primrec function

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

(Based on:
 Tedesco et al. CSF’16)

(Formalisation: https://covern.org/itp19.html)

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

(Formalisation: https://covern.org/itp19.html)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

(Formalisation: https://covern.org/itp19.html)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

True

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

True

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

False

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2

False

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

(via decomposition principle)

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

B I R R

= =

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

(via decomposition principle)

• Theorem: Compiler input related to output by R

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

B I R R

= =

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

(via decomposition principle)

• Theorem: Compiler input related to output by R

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

B I R R

= =

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

(via decomposition principle)

• Theorem: Compiler input related to output by R

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

B I R R

= =

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

(Inductive)

• Nominate R (and I) to characterise compilation


(for proofs B produced by our type system)

• e.g. R cases for if-conditional
• Theorem: R (for B, with I)


is a secure refinement

(via decomposition principle)

• Theorem: Compiler input related to output by R

13 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Verified compiler

Proof approach

While RISC While RISC

B I R R

= =

(Formalisation: https://covern.org/itp19.html)

If e c1 c2 … …

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

Verified compiler

Overview

14 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

An Isabelle/HOL primrec function

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

(Formalisation: https://covern.org/itp19.html)

(Based on:
 Tedesco et al. CSF’16)

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

Verified compiler

Overview

14 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

An Isabelle/HOL primrec function

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

(Formalisation: https://covern.org/itp19.html)

(Based on:
 Tedesco et al. CSF’16)

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(Formalisation: https://covern.org/itp19.html)

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(Formalisation: https://covern.org/itp19.html)

Concurrent input-handling architecture

(extremely simplified)

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

~250 RISC instructions

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

~250 RISC instructions

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Proof effort preserved!

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

~250 RISC instructions

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Proof effort preserved!

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

~250 RISC instructions

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Proof effort preserved!

Verified compiler

Application: CDDC input-handling model

15

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

~250 RISC instructions

(Formalisation: https://covern.org/itp19.html)

~150 lines While

Proof effort preserved!

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

Verified compiler

Overview

16 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

An Isabelle/HOL primrec function

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

(Formalisation: https://covern.org/itp19.html)

(Based on:
 Tedesco et al. CSF’16)

• Proof approach: ~7K lines of Isabelle/HOL script
• Prevents data races on shared memory
• Knows when safe to optimise reads

Verified compiler

Overview

16 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• Application: 2-thread input-handling model

• f Cross Domain Desktop Compositor

An Isabelle/HOL primrec function

While RISC

Skip Seq (i.e. c1 ;; c2) Assign (i.e. v ← e) If e c1 c2 While e c (Imperative) (Assembly) Load r v Store v r Jmp l Jz l r Nop ... ...

(Formalisation: https://covern.org/itp19.html)

(Based on:
 Tedesco et al. CSF’16)

(Technique)

17 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

Proof effort almost halved!

Impact

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security 1st such proofs carried to assembly-level model by compiler

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html) (Proof-of-concept
 for technique)

(Conclusion)

(Technique)

17 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

Proof effort almost halved!

Impact

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security 1st such proofs carried to assembly-level model by compiler

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html) (Proof-of-concept
 for technique)

(Conclusion)

(Technique)

17 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

• 1. Decomposition principle

for confidentiality-preserving refinement

B I R R

= =

Goal Results

Our contributions

Proof effort almost halved!

Impact

Prove a compiler preserves proofs of concurrent
 value-dependent information-flow security 1st such proofs carried to assembly-level model by compiler

• 2. Verified compiler

While-language to RISC-style assembly

(Formalisation: https://covern.org/itp19.html) (Proof-of-concept
 for technique)

Thank you! Please see

(Conclusion) + Q & A

18

Tedesco et al. CSF’16

Appendix

Differences from Tedesco et al. CSF'16 compilation scheme

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

18

Our While-to-RISC compiler

Appendix

Differences from Tedesco et al. CSF'16 compilation scheme

Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray