58
Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org

A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

NickelA Framework for Design and Verification of

Information Flow Control Systems

Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney,

James Bornholt, Emina Torlak, and Xi Wang

.org

Page 2: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Enforcing information flow control is critical

Page 3: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control
Page 4: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channels through error codes

Page 5: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Eliminating unintended flows is difficult

• Covert channels: A channel not intended for information flow [Lampson ‘73]

• Covert channels are often inherent in interface design

• Examples of covert channels in interfaces:• ARINC 653 avionics standard [TACAS ‘16]

• Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

Page 6: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Eliminating unintended flows is difficult

• Covert channels: A channel not intended for information flow [Lampson ‘73]

• Covert channels are often inherent in interface design

• Examples of covert channels in interfaces:• ARINC 653 avionics standard [TACAS ‘16]

• Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

Page 7: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

• Extends prior work of push-button verification:• Yggdrasil [OSDI ‘16] & Hyperkernel [SOSP ‘17]

• Limitations• Finite interface, expressible using SMT.

• Hardware-based side channels not in scope and no concurrency.

Our approach: Verification-driven interface design

Specify policy Design interfaceVerify interface against policy

Counterexample

Page 8: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Contributions

•New formulation and proof strategy for noninterference

•Nickel: A framework for design and verification of information flow control (IFC) systems

• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks

Page 9: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Process 1 Process 2

Policy: Process 1 and Process 2 should not communicate

Design: Spawn with sequential PID allocation

Page 10: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Process 1 Process 25

Design: Spawn with sequential PID allocation

Policy: Process 1 and Process 2 should not communicate

Page 11: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Process 1 Process 25

11 spawn → 3

Design: Spawn with sequential PID allocation

Policy: Process 1 and Process 2 should not communicate

Page 12: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Process 1 Process 25

11 spawn → 3

12spawn → 3+1

spawn → 3+5

Design: Spawn with sequential PID allocation

Policy: Process 1 and Process 2 should not communicate

Page 13: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Process 1 Process 25

11 spawn → 3

12spawn → 3+1

spawn → 3+5

13 spawn → 3+5+1

Design: Spawn with sequential PID allocation

Policy: Process 1 and Process 2 should not communicate

Page 14: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Covert channel in resource names

Thread 1 Thread 2

Policy: Thread 1 and Thread 2 should not communicate

5

11 spawn → 3

12spawn → 3+1

spawn → 3+5

13 spawn → 3+5+1

Design: Spawn with sequential PID allocation

Examples of covert channels•Resource names

•Resource exhaustion

• Statistical information

• Error handling

• Scheduling

•Devices and services

Page 15: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Noninterference intuition

Process 2:spawn → 3

Process 1:spawn 5 times

Process 2:spawn → 9

Page 16: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Noninterference intuition

Process 2:spawn → 3

Process 1:spawn 5 times

Process 2:spawn → 9

Process 2:spawn → 3

Process 2:spawn → 4

Page 17: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Noninterference intuition

Process 2:spawn → 3

Process 1:spawn 5 times

Process 2:spawn → 9

Process 2:spawn → 3

Process 2:spawn → 4

Process 1 interferes with Process 2

Page 18: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policies in Nickel

• Set of domains 𝒟: e.g., processes

• Can-flow-to relation ⇝⊆ (𝒟 × 𝒟): permitted flow between domains

• Function dom: (𝐴 × 𝑆) → 𝒟: maps an action and state to a domain

Page 19: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policies in Nickel

• Set of domains 𝒟: e.g., processes

• Can-flow-to relation ⇝⊆ (𝒟 × 𝒟): permitted flow between domains

• Function dom: (𝐴 × 𝑆) → 𝒟: maps an action and state to a domain

Flexible definition enables broad set of policies

• Can-flow-to relation can be intransitive

• State dependent dom

Page 20: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Noninterference definition

sources 𝜖, 𝑢, 𝑠 ≔ 𝑢

sources 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠 ≔ ቐsources 𝑡𝑟, 𝑢, step 𝑠, 𝑎 ∪ dom 𝑎, 𝑠 if ∃𝑣 ∈ sources(𝑡𝑟, 𝑢, step 𝑠, 𝑎 . dom 𝑎, 𝑠 ⇝ 𝑢

sources 𝑡𝑟, 𝑢, step 𝑠, 𝑎 otherwise

purge 𝜖, 𝑢, 𝑠 ≔ 𝜖

purge 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠 ≔ ቐ𝑎 ∘ tr′ 𝑡𝑟′ ∈ purge 𝑡𝑟, 𝑢, step 𝑠, 𝑎 } if dom 𝑎, 𝑠 ∈ sources 𝑎 ∘ 𝑡𝑟, 𝑢, 𝑠

𝑎 ∘ tr′ 𝑡𝑟′ ∈ purge 𝑡𝑟, 𝑢, step 𝑠, 𝑎 } ∪ purge(𝑡𝑟, 𝑢, 𝑠) otherwise

∀ 𝑡𝑟′ ∈ purge 𝑡𝑟, dom 𝑎, run init, 𝑡𝑟 , init . output run init,𝑡𝑟 ,𝑎 = output run(init, 𝑡𝑟′ , 𝑎)

Page 21: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Given a policy, purging actions “irrelevant” to a domain should not affect the output of

the actions for that domain

Page 22: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Automated verification of noninterference

• ℐ init ∧ ℐ 𝑠 ⇒ ℐ step 𝑠, 𝑎

• ≈𝑢

is reflexive, symmetric, and transitive

• ℐ 𝑠 ∧ ℐ 𝑡 ∧ 𝑠 ≈𝑢𝑡 ⇒ (dom 𝑎, 𝑠 ⇝ 𝑢 ⇔ dom 𝑎, 𝑡 ⇝ 𝑢)

• ℐ 𝑠 ∧ dom 𝑎, 𝑠 ⇝ 𝑢 ⇒ s ≈𝑢step(𝑠, 𝑎)

Page 23: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Automated verification of noninterference

• ℐ init ∧ ℐ 𝑠 ⇒ ℐ step 𝑠, 𝑎

• ≈𝑢

is reflexive, symmetric, and transitive

• ℐ 𝑠 ∧ ℐ 𝑡 ∧ 𝑠 ≈𝑢𝑡 ⇒ (dom 𝑎, 𝑠 ⇝ 𝑢 ⇔ dom 𝑎, 𝑡 ⇝ 𝑢)

• ℐ 𝑠 ∧ dom 𝑎, 𝑠 ⇝ 𝑢 ⇒ s ≈𝑢step(𝑠, 𝑎)

Proof strategy: unwinding conditions• Together imply noninterference• Requires reasoning only about individual actions• Amenable to automated reasoning using SMT

Page 24: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Outline

•New formulation and proof strategy for noninterference

•Nickel: A framework for design and verification of information flow control (IFC) systems

• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks

Page 25: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Verification-driven interface design in Nickel

Specify policy

1

Design interface

2Verify interface against policy

3

Counterexample

Page 26: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Verification-driven interface design in Nickel

Specify policy

1

Design interface

2Verify interface against policy

3

Counterexample

Implement interface

4Verify implementation

against interface

5

Page 27: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 28: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

pid 1 pid 2 ... pid n

Policy:n processes that are not allowed to communicate with each other

Observation function

Page 29: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 30: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 31: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 32: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 33: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 34: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 35: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 36: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 37: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 38: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Interface specification

Information flow policy

Trusted

Observation function

Page 39: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policy

Observation function

Trusted

Interface specification

Page 40: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policy

Observation function

Trusted

Interface specification

Page 41: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policy

Observation function

Trusted

Interface specification

Page 42: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Information flow policy

Observation function

Trusted

Interface specification

Page 43: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Observation function

Trusted

Interface specification

Page 44: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted

Interface specification

Counter-example

Channel

Observation function

Page 45: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted Counter-example

Bug

Interface specification

• Partition names among domains

• Reduce flows to the scheduler

• Perform flow checks early

• Limit resource usage with quotas

• Encrypt names from a large space

• Expose or enclose nondeterminism

Design patterns

Observation function

Page 46: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted Counter-example

Bug

Interface specification

Observation function

Page 47: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted Counter-example

Bug

Interface specification

Observation function

Page 48: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted

Interface specification

Counter-example

Channel

Observation function

Page 49: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Nickel verifier

SMT

Information flow policy

Trusted

Interface specification

Counter-example

Channel

Verified

Observation function

Page 50: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Outline

•New formulation and proof strategy for noninterference

•Nickel: A framework for design and verification of information flow control (IFC) systems

• Experience building three systems using Nickel• First formally verified decentralized IFC OS kernel• Low proof burden: order of weeks

Page 51: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Decentralized information flow control (DIFC)

• Flexible mechanism to enforce security policies [SOSP ’97]• Each object assigned labels for tracking and mediating data access

• Several operating system kernels enforce DIFC:• Asbestos [SOSP ’05] • HiStar [OSDI ’06]• Flume [SOSP ’07]

• Our goal: Build a DIFC OS kernel without any covert channels

Page 52: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

NiStar: First verified DIFC OS

• Resembles an exokernel with finite interface design• 46 system calls and exception handlers

• Supports musl C stdlib using Linux emulation, file system, lwip network service

• Enforces information flow among small number of object types

• Labels, containers, threads, gates, page-table pages, user pages, quanta

• Each object is assigned three labels: Secrecy 𝑆, integrity 𝐼, ownership 𝑂

• Simple policy: Given two objects with domains ℒ1 and ℒ2:

• ℒ1 = ⟨𝑆1, 𝐼1 , 𝑂1⟩, ℒ2 = ⟨𝑆2, 𝐼2, 𝑂2⟩

• ℒ1 ⇝ ℒ2 ≔ (𝑆1 − 𝑂1 ⊆ 𝑆2 ∪𝑂2) ∧ (𝐼2 −𝑂2 ⊆ 𝐼1 ∪ 𝑂1)

Page 53: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

NiStar Scheduler

• New object types to close channel in scheduler

NiStar closes logical time channel in scheduler

Page 54: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Other systems

Subset of ARINC 653

• Industrial standard for avionics systems

• Reproduced three known bugs in the specification

NiKOS:

• Small Unix-like OS kernel mirroring mCertiKOS [PLDI ‘16]

• Process isolation policy

Page 55: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Implementation

Component NiStar NiKOS ARINC 653

Information flow policy 26 14 33

Interface specification 714 82 240

Observational equivalence 127 56 80

Interface implementation 3,155 343 -

User-space implementation 9,348 389 -

Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)

Page 56: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Implementation

Component NiStar NiKOS ARINC 653

Information flow policy 26 14 33

Interface specification 714 82 240

Observational equivalence 127 56 80

Interface implementation 3,155 343 -

User-space implementation 9,348 389 -

Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)

Concise policy

Page 57: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Low proof burden

• NiStar:• Six months for the first prototype implementation• Six weeks on verification

• NiKOS: two weeks

• ARINC 653: one week

Page 58: A Framework for Design and Verification of Information Flow …bornholt/papers/nickel-osdi18... · 2019. 8. 15. · A Framework for Design and Verification of Information Flow Control

Conclusion

•Verification-driven interface design• Systematic way to design secure interfaces

• Interactive workflow with counterexample-based debugging

• First verified DIFC system• Low proof burden

https://nickel.unsat.systems