Nickel: A framework for design and verification of information flow control systems
|
|
|
- Elvin Cunningham
- 5 years ago
- Views:
Transcription
1 Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1
2 Motivation: high verification burden Verification is effective at eliminating bugs Requires expertise Large time investment 2
3 Approach: push-button verification Yggdrasil OSDI 2016 Crash-safe filesystems (Python) Hyperkernel SOSP 2017 Small OS kernel (C, memory isolation) Nickel OSDI 2018 Information flow control systems 3
4 Information flow control systems
5
6
7 Goal: eliminate covert channels from systems Covert channel (Lampson 73): unintended flow between system components Approach: verification-driven development Verify noninterference for interface specification Verify refinement for implementation Limitations: no physical channels; no concurrency 7
8 Contributions Formulation of noninterference amenable to automated verification Nickel is a framework for verifying IFC systems. Applied Nickel to verify systems including NiStar: first formally verified DIFC OS kernel ARINC 653 communication interface: avionics kernel standard 8
9 Example covert channel: resource names Policy: process A and process B should not communicate Interface: spawn system call returns sequential PIDs Try to violate policy by sending a secret (in this case, 2) to process B Process A 2 Process B 9
10 Example covert channel: resource names Policy: process A and process B should not communicate Interface: spawn system call returns sequential PIDs Process A 6-3-1=2 Process B spawn 3 spawn 4 spawn 5 spawn 6 10
11 Noninterference intuition Process B Process A Process A Process B spawn 3 spawn 4 spawn 5 spawn 6 Process B Process B spawn 3 spawn 4 11
12 Noninterference intuition Many kinds of covert channels Process Resource B Process names Aand exhaustion Process A Process B spawn 3 spawn 4 spawn 5 spawn 6 Statistical information Error handling Scheduling Process B Process B Devices and services spawn 3 spawn 4 12
13 Noninterference For any trace tr, action a, removing irrelevant actions should not affect the output of a. output(run(init, tr), a) = output(run(init, purge*(tr, a)), a) 13
14 Information flow policies in Nickel A set of domains D : Set A can-flow-to relation specifying permitted flows among domains (D D) A function mapping an action in a state to a domain dom : (A S) D pid 1 pid 2 pid n 14
15 Automated verification of noninterference Proof strategy: unwinding conditions Together imply noninterference Reason about one action at a time Amenable to SMT solving using Z3 Local respect I(s) (dom(a, s) v) s v step(s, a) Output consistency I(s) I(t) s dom(a,s) t output(s, a) = output(t, a) Weak step consistency I(s) I(t) s u t s dom(a,s) t step(s, a) u step(t, a) 15
16 Nickel workflow Counterexample Specify policy Design interface Verify interface against policy Interface noninterference Counterexample Implement interface Verify implementation against interface Implementation noninterference and functional correctness 16
17 Programmer inputs Information flow policy Interface specification Observational equivalence 17
18 Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate pid 1 pid 2 pid n 18
19 Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate class State: current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def can_flow_to(domain1, domain2): # Flow only permitted if same domain return domain1 == domain2 def dom(action, state): # Domain of each action is current process return state.current pid 1 pid 2 pid n 19
20 Information flow policy Interface specification Observational equivalence Compute child pid Precondition for system call Update system state Return new state def sys_spawn(old): child_pid = old.nr_procs + 1 pre = child_pid <= NR_PROCS new = old.copy() new.nr_procs += 1 new.proc_status[child_pid] = RUNNABLE return pre, If(pre, new, old) 20
21 Information flow policy Interface specification Observational equivalence State 1 current pid 4 State 2 current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] 21
22 Information flow policy Interface specification Observational equivalence class State: current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def obs_eqv(domain, state1, state2): return And( state1.current == state2.current, state1.nr_procs == state2.nr_procs, state1.proc_status[domain.pid] == state2.proc_status[domain.pid] ) State 1 current pid 4 State 2 current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] 22
23 Systems verified using Nickel Component NiStar NiKOS ARINC 653 Information flow policy Interface specification Observational equivalence Implementation 3, User-space implementation 9, Common kernel infrastructure 4,829 (shared by NiStar/NiKOS) 23
24 Demo
25 spawn example pid 1 pid 2 pid n 25
26 tainting example send(b, 12) Process A Process B Process C Process D Value: 0 Value: 42 Value: 3 Value: 5 Level: tainted Level: untainted Level: untainted Level: tainted 26
27 tainting example send(b, 12) Process A Process B Process C Process D Value: 0 Value: 12 Value: 3 Value: 5 Level: tainted Level: tainted Level: untainted Level: tainted 27
28 tainting example if Value == 0: send(b, 0) Process A Value: secret_bit wait(500) if Level!= tainted: send(c, 1) Level: tainted Process B wait(1000) if Value == 0: # secret is 0 else: # secret is 1 Process C Value: 0 Level: untainted Value: 0 Level: untainted 28
29 tainting example if Value == 0: send(b, 0) Process A Value: 1 wait(500) if Level!= tainted: send(c, 1) Level: tainted Process B wait(1000) if Value == 0: # secret is 0 else: # secret is 1 Process C Value: 1 Level: untainted Value: 0 Level: untainted send(c, 1) 29
30 tainting example if Value == 0: send(b, 0) Process A Value: 0 wait(500) if Level!= tainted: send(c, 1) Level: tainted Process B wait(1000) if Value == 0: # secret is 0 else: # secret is 1 send(b, 0) Process C Value: 0 Level: untainted Value: 0 Level: tainted 30
31 Thanks! 31
Helgi Sigurbjarnarson
Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang.org Enforcing information
Nickel: A Framework for Design and Verification of Information Flow Control Systems
Nickel: A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang University of Washington
Hyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
Push-Button Verification of File Systems
1 / 24 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington 2 / 24 File systems are hard to get right Complex
Designing Systems for Push-Button Verification
Designing Systems for Push-Button Verification Luke Nelson, Helgi Sigurbjarnarson, Xi Wang Joint work with James Bornholt, Dylan Johnson, Arvind Krishnamurthy, EminaTorlak, Kaiyuan Zhang Formal verification
Push-Button Verification of File Systems
1 / 25 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington October 26, 2016 2 / 25 File systems are hard
Hyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang University of Washington {lukenels,helgi,kaiyuanz,dgj16,bornholt,emina,xi}@cs.washington.edu
A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees
A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees by Bruno Castro-Karney Supervised by Xi Wang A senior thesis submitted in partial fulfillment of the requirements for the degree of Bachelor
Push-button verification of Files Systems via Crash Refinement
Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare
Labels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
Getting to know you. Anatomy of a Process. Processes. Of Programs and Processes
Getting to know you Processes A process is an abstraction that supports running programs A sequential stream of execution in its own address space A process is NOT the same as a program! So, two parts
Software Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
Property-Based Testing for Coq. Cătălin Hrițcu
Property-Based Testing for Coq Cătălin Hrițcu Prosecco Reading Group - Friday, November 29, 2013 The own itch I m trying to scratch hard to devise correct safety and security enforcement mechanisms (static
Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
Introduction to Information Security
Introduction to Information Security 0368-3065, Spring 2013 Lecture 5: Information flow control (cont.), process confinement Eran Tromer 1 Slides credit: Dan Boneh and John Mitchell, Stanford Max Krohn,
Symbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
Flexible Dynamic Information Flow Control in Haskell
Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C. Mitchell 1 David Mazières 1 1 2 Haskell 11 www.scs.stanford.edu/ deian/lio Introduction Motivation Motivation
HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,
HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008, Chicago Component Security Integration John Rushby Computer
Information Security CS526
Information Security CS 526 Topic 20: Non-interference and Nondeducibility 1 Optional Readings for This Lecture Security Policies and Security Models. J.A.Goguen and J.Meseguer. Oakland 1982 Non-deducibility
CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu
CS61 Scribe Notes Date: 11.6.14 Topic: Fork, Advanced Virtual Memory Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu Administrivia: Final likely less of a time constraint What can we do during
CS 475. Process = Address space + one thread of control Concurrent program = multiple threads of control
Processes & Threads Concurrent Programs Process = Address space + one thread of control Concurrent program = multiple threads of control Multiple single-threaded processes Multi-threaded process 2 1 Concurrent
Automatic Generation of Program Specifications
Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful
Topics in Systems and Program Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and
Building Secure Web Applications: Practical Principles. Deian Stefan
Building Secure Web Applications: Practical Principles Deian Stefan Facebook missed a single security check [PopPhoto.com Feb 10, 2015] What didn t make the news What didn t make the news Our intern accidentally
Roadmap. Tevfik Ko!ar. CSC Operating Systems Spring Lecture - III Processes. Louisiana State University. Virtual Machines Processes
CSC 4103 - Operating Systems Spring 2008 Lecture - III Processes Tevfik Ko!ar Louisiana State University January 22 nd, 2008 1 Roadmap Virtual Machines Processes Basic Concepts Context Switching Process
Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1
Areas related to SW verif. Trends in Software Validation Abhik Roychoudhury CS 6214 Formal Methods Model based techniques Proof construction techniques Program Analysis Static Analysis Abstract Interpretation
CSCE 313 Introduction to Computer Systems. Instructor: Dezhen Song
CSCE 313 Introduction to Computer Systems Instructor: Dezhen Song Programs, Processes, and Threads Programs and Processes Threads Programs, Processes, and Threads Programs and Processes Threads Processes
Software Engineering
Software Engineering Lecture 13: Testing and Debugging Testing Peter Thiemann University of Freiburg, Germany SS 2014 Recap Recap Testing detect the presence of bugs by observing failures Recap Testing
Software Engineering Testing and Debugging Testing
Software Engineering Testing and Debugging Testing Prof. Dr. Peter Thiemann Universitt Freiburg 08.06.2011 Recap Testing detect the presence of bugs by observing failures Debugging find the bug causing
Verifying Recursive Programs using Intra-procedural Analyzers
Verifying Recursive Programs using Intra-procedural Analyzers Yu-Fang Chen, Academia Sinica, Taiwan joint work with Chiao Hsieh, Ming-Hsien Tsai, Bow-Yaw Wang and Farn Wang First of all Thanks for the
CSCE 313: Intro to Computer Systems
CSCE 313 Introduction to Computer Systems Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce313/ Programs, Processes, and Threads Programs and Processes Threads 1 Programs, Processes, and
CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
Process a program in execution; process execution must progress in sequential fashion. Operating Systems
Process Concept An operating system executes a variety of programs: Batch system jobs Time-shared systems user programs or tasks 1 Textbook uses the terms job and process almost interchangeably Process
Which Configuration Option Should I Change?
Which Configuration Option Should I Change? Sai Zhang, Michael D. Ernst University of Washington Presented by: Kıvanç Muşlu I have released a new software version Developers I cannot get used to the UI
Information Flow Control For Standard OS Abstractions
Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline
Quis Custodiet Ipsos Custodes The Java memory model
Quis Custodiet Ipsos Custodes The Java memory model Andreas Lochbihler funded by DFG Ni491/11, Sn11/10 PROGRAMMING PARADIGMS GROUP = Isabelle λ β HOL α 1 KIT 9University Oct 2012 of the Andreas State of
Browser Security Guarantees through Formal Shim Verification
Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:
Reading Assignment 4. n Chapter 4 Threads, due 2/7. 1/31/13 CSE325 - Processes 1
Reading Assignment 4 Chapter 4 Threads, due 2/7 1/31/13 CSE325 - Processes 1 What s Next? 1. Process Concept 2. Process Manager Responsibilities 3. Operations on Processes 4. Process Scheduling 5. Cooperating
Verdi: A Framework for Implementing and Formally Verifying Distributed Systems
Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value store VST James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson
Model Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
SpaceSearch: A Library for Building and Verifying Solver-Aided Tools
SpaceSearch: A Library for Building and Verifying Solver-Aided Tools Konstantin Steven S. Stefan Weitz Lyubomirsky Heule Emina Torlak Michael D. Ernst Zachary Tatlock Reduction Reduction SMT Reduction
CMPSCI 230 Computer Systems Principles. Processes
CMPSCI 230 Computer Systems Principles Processes Objectives To understand what a process is To learn the basics of exceptional control flow To learn how to create child processes How to run programs? How
CS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
Having a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
Handling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
Chapter 5: Algorithms
Chapter 5 Algorithms By: J. Brookshear Modified by: Yacoub Sabatin, BEng, MSc Chapter 5: Algorithms 5.1 The Concept of an Algorithm 5.2 Algorithm Representation 5.3 Algorithm Discovery 5.4 Iterative Structures
Verified Secure Routing
Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research Institute June 2017 Team Members Verification Team Information Security David Basin Tobias Klenze Ralf Sasse Christoph Sprenger Thilo
Formal Methods Expert to IMA-SP Kernel Qualification Preparation
Formal Methods Expert to IMA-SP Kernel Qualification Preparation Andrew Butterfield Formal Methods Expert to IMA-SP Kernel Qualification Preparation ESTEC Contract No 4000112208 9 th June 2016 10/06/2016
Alive: Provably Correct InstCombine Optimizations
Alive: Provably Correct InstCombine Optimizations David Menendez Santosh Nagarakatte Rutgers University John Regehr University of Utah Nuno Lopes Microsoft Research Can We Trust Compilers? Any large software
Runtime Checking and Test Case Generation for Python
Runtime Checking and Test Case Generation for Python Anna Durrer Master Thesis Chair of Programming Methodology D-INFK ETH Supervisor: Marco Eilers, Prof. Peter Müller 24. Mai 2017 1 Introduction This
Lecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
Buffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus
Testing Prof. Clarkson Fall 2017 Today s music: Wrecking Ball by Miley Cyrus Review Previously in 3110: Modules Specification (functions, modules) Today: Validation Testing Black box Glass box Randomized
Having a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
Model Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
Protection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
Lecture 4: Process Management
Lecture 4: Process Management (Chapters 2-3) Process: execution context of running program. A process does not equal a program! Process is an instance of a program Many copies of same program can be running
Fall 2015 COMP Operating Systems. Lab #3
Fall 2015 COMP 3511 Operating Systems Lab #3 Outline n Operating System Debugging, Generation and System Boot n Review Questions n Process Control n UNIX fork() and Examples on fork() n exec family: execute
Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Characteristics of! System to be! built must! match required! characteristics!
Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Requirements Spec.! Design! Test Results must! match required behavior! Characteristics of! System to be! built must! match required! characteristics!
Applying MILS to multicore avionics systems
Applying MILS to multicore avionics systems Eur Ing Paul Parkinson FIET Principal Systems Architect, A&D EuroMILS Workshop, Prague, 19 th January 2016 2016 Wind River. All Rights Reserved. Agenda A Brief
Remote Exploit. compass-security.com 1
Remote Exploit compass-security.com 1 Content Intel Architecture Memory Layout C Arrays Buffer Overflow BoF Exploit Assembler Shellcode Function Calls Debugging Remote Exploit Exploit Mitigations Defeat
The ComFoRT Reasoning Framework
Pittsburgh, PA 15213-3890 The ComFoRT Reasoning Framework Sagar Chaki James Ivers Natasha Sharygina Kurt Wallnau Predictable Assembly from Certifiable Components Enable the development of software systems
Plugging Side-Channel Leaks with Timing Information Flow Control
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://bford.info/ Abstract The cloud model s dependence on massive parallelism and resource sharing exacerbates
Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018
Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution
arxiv: v2 [cs.pl] 3 Apr 2018
![arxiv: v2 [cs.pl] 3 Apr 2018](/thumbs/89/98539697.jpg "arxiv: v2 [cs.pl] 3 Apr 2018")
1 Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification arxiv:1708.08323v2 [cs.pl] 3 Apr 2018 LIANGZE YIN, School of Computer, National University of Defense Technology,
Last time: introduction. Networks and Operating Systems ( ) Chapter 2: Processes. This time. General OS structure. The kernel is a program!
ADRIAN PERRIG & TORSTEN HOEFLER Networks and Operating Systems (252-0062-00) Chapter 2: Processes Last time: introduction Introduction: Why? February 12, 2016 Roles of the OS Referee Illusionist Glue Structure
CMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
CS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility
CS590U Access Control: Theory and Practice Lecture 5 (January 24) Noninterference and Nondeducibility Security Policies and Security Models J.A.Goguen and J.Meseguer Oakland 1982 Distinction Between Models
Lecture 4: Bell LaPadula
CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula References:
CS 301: Recursion. The Art of Self Reference. Tyler Caraza-Harter
CS 301: Recursion The Art of Self Reference Tyler Caraza-Harter Goal: use self-reference is a meaningful way Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's
CITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
Fully Automatic and Precise Detection of Thread Safety Violations
Fully Automatic and Precise Detection of Thread Safety Violations Michael Pradel and Thomas R. Gross Department of Computer Science ETH Zurich 1 Motivation Thread-safe classes: Building blocks for concurrent
Lecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5.
Lecture Topics Today: Threads (Stallings, chapter 4.1-4.3, 4.6) Next: Concurrency (Stallings, chapter 5.1-5.4, 5.7) 1 Announcements Make tutorial Self-Study Exercise #4 Project #2 (due 9/20) Project #3
Having a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
Race Analysis for SystemC using Model Checking
Race Analysis for SystemC using Model Checking Nicolas Blanc, Daniel Kroening www.cprover.org/scoot Supported by Intel and SRC Department of Computer Science ETH Zürich Wednesday, 19 November 2008 This
Concurrent Programming
Concurrent Programming is Hard! Concurrent Programming Kai Shen The human mind tends to be sequential Thinking about all possible sequences of events in a computer system is at least error prone and frequently
Advanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
Classifying Bugs with Interpolants
Classifying Bugs with Interpolants Andreas Podelski 1, Martin Schäf 2, and Thomas Wies 3 1 University of Freiburg 2 SRI International 3 New York University Abstract. We present an approach to the classification
Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)
Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract) Felipe R. Monteiro Mário A. P. Garcia Lucas C. Cordeiro Eddie B. de Lima Filho 33 rd IEEE/ACM International
Operating System. Chapter 3. Process. Lynn Choi School of Electrical Engineering
Operating System Chapter 3. Process Lynn Choi School of Electrical Engineering Process Def: A process is an instance of a program in execution. One of the most profound ideas in computer science. Not the
Baseline Testing Services. Whitepaper Vx.x
Whitepaper Vx.x 2018-04 Table of Contents 1 Introduction... 3 2 What is Baseline Testing?... 3 3 Customer Challenge... 3 4 Project Details... 3 4.1 First Steps... 3 4.2 Project Management... 3 4.3 Software
Formal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
Programming Language Vulnerabilities within the ISO/IEC Standardization Community
Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming Language Vulnerabilities stephen.michell@maurya.on.ca
Software Infrastructure for Data Assimilation: Object Oriented Prediction System
Software Infrastructure for Data Assimilation: Object Oriented Prediction System Yannick Trémolet ECMWF Blueprints for Next-Generation Data Assimilation Systems, Boulder, March 2016 Why OOPS? Y. Trémolet
6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
Advanced Systems Security: Security Goals
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
Remote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Remote Exploit Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout C Arrays
A Toolbox for Counter-Example Analysis and Optimization
A Toolbox for Counter-Example Analysis and Optimization Alan Mishchenko Niklas Een Robert Brayton Department of EECS, University of California, Berkeley {alanmi, een, brayton}@eecs.berkeley.edu Abstract
High-Level Small-Step Operational Semantics for Software Transactions
High-Level Small-Step Operational Semantics for Software Transactions Katherine F. Moore Dan Grossman The University of Washington Motivating Our Approach Operational Semantics Model key programming-language
Seminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
Improving Usability of Information Flow Security in Java
Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Motivation Information security is
Background: I/O Concurrency
Background: I/O Concurrency Brad Karp UCL Computer Science CS GZ03 / M030 5 th October 2011 Outline Worse Is Better and Distributed Systems Problem: Naïve single-process server leaves system resources
Having a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
8.3 Mandatory Flow Control Models
8.3 Mandatory Flow Control Models Mingsen Xu Advanced Operating System 2011-10-26 Outline Mandatory Flow Control Models - Information Flow Control - Lattice Model - Multilevel Security Model - Bell-Lapadula
Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone
Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California, Berkeley Today Today: we describe why high-level
Extending the Web Security Model with Information Flow Control
Extending the Web Security Model with Information Flow Control Deian Stefan Advised by David Herman Motivation: 3rd party libraries Password-strength checker Desired security policy: Password is not leaked
Secure Programming Lecture 15: Information Leakage
Secure Programming Lecture 15: Information Leakage David Aspinall 21st March 2017 Outline Overview Language Based Security Taint tracking Information flow security by type-checking Summary Recap We have