Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2010, Pages 365-379

  Franklin, Jason ^a   Chaki, Sagar ^a   Datta, Anupam ^a   Seshadri, Arvind ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b IBM RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATED FORMAL VERIFICATION; AUTOMATED VERIFICATION; CODE SIZE; GUARDED COMMANDS; ITS DATA; LARGE DATA; MODEL CHECK; OPERATING SYSTEMS; PARAMETRIC VERIFICATION; RECENT PROGRESS; REFERENCE MONITORS; SECURE SYSTEM; SECURITY POLICY; SECURITY PROPERTIES; SMALL MODEL THEOREM; TEMPORAL SPECIFICATION;

ACCESS CONTROL; DATA STRUCTURES; DECENTRALIZED CONTROL; SECURITY SYSTEMS; TEMPORAL LOGIC; WEB BROWSERS;

COMPUTER OPERATING SYSTEMS;

EID: 77955216681     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2010.29     Document Type: Conference Paper

References (46)

1. J. P Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA, Oct. 1972.
2. K. R. Apt and D. C. Kozen. Limits for automatic verification of finitestate concurrent systems. Information Processing Letters, 22(6):307-309, 1986. (Pubitemid 16589252)
3. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), 2003.
4. W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, Gaithersburg, Maryland, 1985.
5. D. F. C. Brewer and M.J. Nash. The chinese wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy, May 1989.
6. Hao Chen and David Wagner. MOPS: an infrastructure for examining security properties of software. In Proceedings of the ACM Conference on Computer and Communications Security, pages 235-244, 2002.
7. Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model Checking. MIT Press, Cambridge, MA, 2000.
8. Nancy A. Durgin, Patrick Lincoln, and John C. Mitchell. Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security, 12(2):247-311, 2004.
9. E. Allen Emerson and Vineet Kahlon. Reducing model checking of the many to the few. In Proceedings of the 17th International Conference on Automated Deduction, July 2000.
10. E. Allen Emerson and Vineet Kahlon. Model checking large-scale and parameterized resource allocation systems. In Proceedings of the Eighth International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '02), 2002.
11. E. Allen Emerson and Vineet Kahlon. Exact and efficient verification of parameterized cache coherence protocols. In Proceedings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME '03), pages 247-262, 2003.
12. E. Allen Emerson and Vineet Kahlon. Model checking guarded protocols. In 18th Annual IEEE Symposium on Logic in Computer Science (LICS'03), 2003.
13. E. Allen Emerson and Vineet Kahlon. Rapid parameterized model checking of snoopy cache coherence protocols. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '03), 2003.
14. E. Allen Emerson and Kedar S. Namjoshi. Automatic verification of parameterized synchronous systems (extended abstract). In Proceedings of the 8th International Conference on Computer Aided Verification, 1996.
15. E. Allen Emerson and Kedar S. Namjoshi. Verification of parameterized bus arbitration protocol. In Proceedings of the 10th International Conference on Computer Aided Verification, 1998.
16. M. Emmi, R. Jhala, E. Kohler, and R. Majumdar. Verifying reference counting implementations. In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '09), 2009.
17. Jason Franklin, Sagar Chaki, Anupam Datta, and Arvind Seshadri. Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size. Technical Report CMU-CyLab-10-005, Carnegie Mellon University, 2010.
18. Jason Franklin, Arvind Seshadri, Ning Qu, Sagar Chaki, and Anupam Datta. Attacking, repairing, and verifying SecVisor: A retrospective on the security of a hypervisor. Technical Report CMU-CyLab-08-008, Carnegie Mellon University, 2008.
19. Steven M. German and A. Prasad Sistla. Reasoning about systems with many processes. Journal of the ACM, 39(3):675-735, 1992.
20. Joshua D. Guttman, Amy L. Herzog, John D. Ramsdell, and Clement W. Skorupka. Verifying information flow goals in security-enhanced linux. Journal of Computer Security, 13(1):115-134, 2005.
21. Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '02), 2002.
22. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19(8), August 1976.
23. Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John D. McLean. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the ACM Conference on Computer and Communications Security, pages 346-355, 2006.
24. Gerard J. Holzmann. The Model Checker SPIN. IEEE Trans. Software Eng., 23(5):279-295, 1997.
25. N. Kidd, T. Reps, J. Dolby, and M. Vaziri. Finding concurrency-related bugs using random isolation. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI '09), 2009.
26. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an os kernel. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), 2009.
27. Leslie Lamport. Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, 2002.
28. Ranko Lazić, Tom Newcomb, and Bill Roscoe. On model checking dataindependent systems with arrays with whole-array operations. Lecture Notes in Computer Science, 3525:275-291, July 2004.
29. R.S. Lazić, T.C. Newcomb, and A.W. Roscoe. On model checking dataindependent systems with arrays without reset. Theory and Practice of Logic Programming (TPLP), 4(5&6), 2004.
30. David Lie, John Mitchell, Chandramohan A. Thekkath, and Mark Horowitz. Specifying and Verifying Hardware for Tamper-Resistant Software. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003.
31. Gavin Lowe. Towards a completeness result for model checking of security protocols. Journal of Computer Security, 7(1), 1999.
32. Jonathan Millen. A necessarily parallel attack. In Proceedings of the Workshop on Formal Methods and Security Protocols (FMSP), 1999.
33. J. C. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0. In Proceedings of the Seventh USENIX Security Symposium, pages 201-216, 1998.
34. John C. Mitchell, Mark Mitchell, and Ulrich Stern. Automated Analysis of Cryptographic Protocols Using Mur?. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, 1997.
35. P.G. Neumann, R.S. Boyer, R.J. Feiertag, K.N. Levitt, and L. Robinson. A provably secure operating system: The system, its applications, and proofs. Technical report, SRI International, 1980.
36. IBM Research. The research hypervisor - a multi-platform, multipurpose research hypervisor. http://www.research.ibm.com/hypervisor.
37. A. W. Roscoe and P. J. Broadfoot. Proving security protocols with model checkers by data independence techniques. Journal Computer Security, 7(2-3):147-190, 1999.
38. John Rushby. The design and verification of secure systems. In Proceedings of the Eighth ACM Symposium on Operating System Principles (SOSP), pages 12-21, Asilomar, CA, December 1981. (ACM Operating Systems Review, Vol. 15, No. 5).
39. Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramon Caceres, Ronald Perez, Stefan Berger, John Linwood Griffin, and Leendert van Doorn. Building a MAC-Based security architecture for the Xen open-source hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), 2005.
40. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2007.
41. Jonathan S. Shapiro and Sam Weber. Verifying the eros confinement mechanism. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, 2000.
42. I. Suzuki. Proving properties of a ring of finite state machines. Information Processing Letters, 28:213-213, 1988.
43. Enriquillo Valdez, Reiner Sailer, and Ronald Perez. Retrofitting the ibm power hypervisor to support mandatory access control. In Proceedings of the Twenty-Third Annual Computer Security Applications Conference (ACSAC), 2007.
44. Bruce J. Walker, Richard A. Kemmerer, and Gerald J. Popek. Specification and verification of the UCLA Unix security kernel. Communications of the ACM, 23(2):118-131, 1980. (Pubitemid 10465265)
45. Pierre Wolper. Expressing interesting properties of programs in propositional temporal logic. In Proceedings of the 13th ACM Symposium on Principles of Programming Languages, 1986.
46. Junfeng Yang, Paul Twohey, Dawson R. Engler, and Madanlal Musuvathi. Using model checking to find serious file system errors. In Proceedings of the USENIX Symposium on Operating System Design and Implementation (OSDI), pages 273-288, 2004.