Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin, Sagar Chaki,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin, Sagar Chaki,"— Presentation transcript:

1 Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin, Sagar Chaki, Anupam Datta CMU Arvind Seshadri IBM Research

2 Reference Monitors Observe execution of system and prevent actions that violate security policy Security critical components – OSes, VMMs, and browsers System Reference Monitor Adversary Policy Automatically verify that reference monitors enforce desired security properties in presence of adversary

3 Case Study: SecVisor Promising direction to reduce complexity of verification – Reducing code size and interface – TrustVisor, SecVisor, and others < 10k L.O.C. and < 10 hypercalls Kernel Page Table Shadow Page Table Synchronization Adversary SecVisor KEY Memory Protection

4 Data Structure Size and Verification Complexity Reference monitors operate on large data structures – Page tables, memory protection structures, etc. Complexity of automated verification increases exponentially with increase in data structure size Page Table EntriesStatesSpaceTime 355,000 8MB2 sec 41,700,000<256MB360 sec 5--Out of Memory-- Realistic Sizes = 2^16-- Murphi model checking SecVisor with increasing page table size Need automated verification techniques that scale gracefully with increase in data structure size

5 SecVisor in More Detail RUM W WXKC KD Kernel Page Table UM X WKD KC Shadow Page Table SecVisor Sync ≡ foreach row do if (W XOR X) then Sync R SecVisor Sync W UM=User Memory KD=Kernel Data KC=Kernel Code

6 Insight: Leverage Parametricity Reference Monitor  n 1 ref_monitor ≡ foreach row do if (Row_UnProtected) then modify row; Row independent Row uniform

7 System Reference Monitor Adversary Small Model Analysis: Modeling Systems and Properties Modeling reference monitors and adversaries – Parametric Guarded Command Language (PGCL) Expressing security properties – Parametric Temporal Specification Logic (PTSL) Policy SYS(n) ADV(n) RM(n) P(n)

8 Language Design Challenges Balancing expressiveness with small model analysis – Conditionals – Whole array ops – Assignment – Parallel and sequential composition – Non-deterministic update Distinctive features – Modeling systems and adversaries: whole array operations – Adversary: Non-deterministic updates foreach row do if (Condition) then Set row = x; Adversary ≡ foreach row do row[0] = *;

9 Result: Small Model Theorems (SMT) Relate properties of System(1) to System(n), for all finite n – Sound: If small model is secure then large model is secure – Complete: If small model is insecure then large model is insecure SMT System(n)System(1) Verify Secure! Insecure

10 Small Model Analysis of SecVisor Execution Integrity: In kernel mode, only kernel code should be executable. In PTSL: Pexec == MODE=KERNEL ⇒ ( ∀ i. P[i][SPTX] ⇒ (P[i][SPTPA] = KC)) System SecVisor(n) Adversary W xor X SYS(n)ADV(n) RM(n) Initial condition: SecVisor starts in kernel mode and only kernel code is executable In PTSL: Init == MODE=KERNEL ^ ( ∀ i. P[i][SPTX] ⇒ (P[i][SPTPA] = KC)) SMT SecVisor(1) Verify mode = kernel AND FOREACH page in SPT, if eXe then page maps kernel code If mode = kernel then FOREACH page in SPT, if eXe then page maps kernel code

11 Small Model Safety Theorem System model – Let gc(k) be any instantiated guarded command (i.e., any well-formed program) Security property – Let  in GSF be any generic state formula – Forall i. P(i), Exists i. P(i), or conjunctions of Initial state – Let Init in USF be any universal state formula (For all i. P(i)) Definition: model exhibits  if contains state that satisfies  Thm: M(gc(k), Init) exhibits  iff M(gc(1), Init) exhibits  Other theorems with different initial conditions and properties in paper

12 Expressiveness and Limitations PGCL/PTSL can model: – Reference monitors that are row independent and row uniform – Any policy that is expressible as finite state automata over rows (safety property) Paper describes compilation to convert FSA policy to PGCL reference monitor

13 Related Work Parametric verification for correctness – Missing whole array operators or less efficient [Lazic et al.] and [Emerson and Kahlon] Parametric verification for security – Focus on security protocols [Lowe et al.], [Roscoe and Broadfoot], [Durgin et al.], [Millen] Model checking for security – Study non-parametric verification of secure systems [Guttman et al.], [Lie et al.], [Mitchell et al.] Bug finding with adversaries – Unsound or incomplete methods [Kidd et al.], [Emmi et al.] Operating system verification – Manual/semi-automated verification [Walker et al.], [Heitmeyer et al.], [Klein et al.]

14 Conclusions Scalable automated verification technique for reference monitors that manipulate unbounded data structures – PGCL to model adversaries, reference monitors – PTSL to specify security properties – Small model theorems that relate small/large models Application to SecVisor (W XOR X) and sHype (Chinese Wall Policy) Limitations and extensions – Design level, extend to code – Row-independent systems, extend to systems/properties with relationships between rows

15 SecVisor Model Kernel Entry ≡ ¬ kernelmode ? kernelmode := ⊤ ; for i : Pn,q do Pn,q[i][SPTPA] = KC ? Pn,q[i][SPTRW] := ⊥ ; Pn,q[i][SPTX] := ⊤ ; … Sync ≡ ⊤ ? for i : Pn,q do ⊤ ? Pn,q[i][SPTPA] := Pn,q[i][KPTPA] Attacker ≡ ⊤ ? for i : Pn,q do Pn,q[i][KPTPA] := ∗ ; Pn,q[i][KPTRW] := ∗ ; Pn,q[i][KPTX] := ∗ RUM R X WXKC KD Kernel Page Table RUM RW XKC KD Shadow Page Table Sync (W XOR X)

16 SecVisor Verification SecVisor, adversary, and properties expressible – Small model theorems apply Translate to Murphi, verify – Two vulnerabilities, fixed Secure Sync ≡ ⊤ ? for i : Pn,q do ( ¬ Pn,q[i][SPTX] ∧ ¬ (Pn,q[i][KPTPA] = KC)) ? Pn,q[i][SPTPA] := Pn,q[i][KPTPA] Sync ≡ ⊤ ? for i : Pn,q do ⊤ ? Pn,q[i][SPTPA] :=Pn,q[i][KPTPA]

17 Small Model Simulation Theorem 2: (Small Model Simulation). – Let gc(k) be any instantiated guarded command. – Let Init \in GF be any generic state formula. – Then: – M(gc(k),Init) <= M(gc(1),Init) and – M(gc(1),Init) <= M(gc(k),Init)

18 Parametric Guarded Command Language (PGCL) PGCL for modeling system + adversary Boolean variables, natural numbers, Boolean exp E Assignment command Simple guarded command GC || GC Parallel composition for I : P[n,q] do E ? C Parametric guarded command P[n,q] := E Parameterized array assign. Others…

19 Parametric Guarded Command Language (PGCL) Language for modeling system & adversary – Finite number of Boolean variables – Sys. parameter: n – Single parametric array: P of size n x q – Parametric loop for i : P[n,q] do E ? C Kernel Entry ≡ ¬ kernelmode ? kernelmode := ⊤ ; for i : Pn,q do Pn,q[i][Read] = T ? Pn,q[i][eXe] := ⊥ ;

20 Specification Logic Reachability properties (state formulas) – Universal, existential, and generic Temporal logic specifications (path formulas) – Subset of ACTL* with USF as atomic prop. Execution Integrity: In kernel mode, only kernel code should be executable. It is stated as follows: Pexec == MODE=KERNEL ⇒ ( ∀ i P[i][SPTX] ⇒ (P[i][SPTPA] = KC))

Download ppt "Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin, Sagar Chaki,"

Similar presentations

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.

The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

Similar presentations

Ads by Google