Helgi Sigurbjarnarson
|
|
- Madeline Douglas
- 5 years ago
- Views:
Transcription
1 Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang.org
2 Enforcing information flow control is critical
3
4 Covert channels through error codes
5 Eliminating unintended flows is difficult Covert channels: A channel not intended for information flow [Lampson 73] Covert channels are often inherent in interface design Examples of covert channels in interfaces: ARINC 653 avionics standard [TACAS 16] Floating labels in Asbestos [Oakland 09, OSDI 06]
6 Eliminating unintended flows is difficult Covert channels: A channel not intended for information flow [Lampson 73] Covert channels are often inherent in interface design Examples of covert channels in interfaces: ARINC 653 avionics standard [TACAS 16] Floating labels in Asbestos [Oakland 09, OSDI 06]
7 Our approach: Verification-driven interface design Specify policy Design interface Verify interface against policy Counterexample Extends prior work of push-button verification: Yggdrasil [OSDI 16] & Hyperkernel [SOSP 17] Limitations Finite interface, expressible using SMT. Hardware-based side channels not in scope and no concurrency.
8 Contributions New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks
9 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation Process 1 Process 2
10 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2
11 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 1 spawn 3
12 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn 3+1 spawn spawn 3
13 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn 3+1 spawn spawn 3 13 spawn 3+5+1
14 Covert channel in resource names Policy: Thread 1 and Thread 2 should not communicate Examples of covert channels Design: Spawn with sequential PID allocation Resource names Resource exhaustion 5 Thread 1 Thread 2 Statistical information Error handling spawn 3+1 spawn 3+5 Scheduling 12 Devices and services 1 spawn 3 13 spawn 3+5+1
15 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9
16 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9 Process 2: spawn 3 Process 2: spawn 4
17 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9 Process 2: spawn 3 Process 2: spawn 4 Process 1 interferes with Process 2
18 Information flow policies in Nickel Set of domains D: e.g., processes Can-flow-to relation (D D): permitted flow between domains Function dom: (A S) D: maps an action and state to a domain
19 Information flow policies in Nickel Set of domains D: e.g., processes Flexible definition enables broad set of policies Can-flow-to Can-flow-to relation relation can (D be intransitive D): permitted flow between domains Function State dom: dependent (A dom S) D: maps an action and state to a domain
20 Noninterference definition sources ε, u, s u sources tr, u, step s, a dom a, s if v sources(tr, u, step s, a. dom a, s u sources a tr, u, s ቐ sources tr, u, step s, a otherwise purge ε, u, s ε purge a tr, u, s ቐ a tr tr purge tr, u, step s, a } if dom a, s sources a tr, u, s a tr tr purge tr, u, step s, a } purge(tr, u, s) otherwise tr purge tr, dom a, run init, tr, init. output run init,tr, a = output run(init, tr, a)
21 Given a policy, purging actions irrelevant to a domain should not affect the output of the actions for that domain
22 Automated verification of noninterference I init I s I step s, a u is reflexive, symmetric, and transitive I s I t s u t (dom a, s u dom a, t u) I s dom a, s u s u step(s, a)
23 Automated verification of noninterference I init I s I step s, a u is reflexive, symmetric, and transitive Proof strategy: unwinding conditions Together imply noninterference Requires reasoning only about individual actions Amenable to automated reasoning using SMT I s I t s u t (dom a, s u dom a, t u) I s dom a, s u s u step(s, a)
24 Outline New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks
25 Verification-driven interface design in Nickel 1 Specify policy 2 Design interface 3 Verify interface against policy Counterexample
26 Verification-driven interface design in Nickel 1 Specify policy 2 Design interface 3 Verify interface against policy Counterexample 5 Verify implementation against interface 4 Implement interface
27 Trusted Information flow policy Interface specification Observation function
28 Trusted Information flow policy Interface specification Policy: n processes that are not allowed to communicate with each other pid 1 pid 2... pid n Observation function
29 Trusted Information flow policy Interface specification Observation function
30 Trusted Information flow policy Interface specification Observation function
31 Trusted Information flow policy Interface specification Observation function
32 Trusted Information flow policy Interface specification Observation function
33 Trusted Information flow policy Interface specification Observation function
34 Trusted Information flow policy Interface specification Observation function
35 Trusted Information flow policy Interface specification Observation function
36 Trusted Information flow policy Interface specification Observation function
37 Trusted Information flow policy Interface specification Observation function
38 Trusted Information flow policy Interface specification Observation function
39 Trusted Information flow policy Interface specification Observation function
40 Trusted Information flow policy Interface specification Observation function
41 Trusted Information flow policy Interface specification Observation function
42 Trusted Information flow policy Interface specification Observation function
43 Trusted Information flow policy Interface specification SMT Nickel verifier Observation function
44 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Observation function
45 Trusted Information flow policy Interface specification Observation function SMT Design patterns Bug Partition names among domains Reduce flows to the scheduler Nickel Perform flow checks early verifier Limit resource usage with quotas Encrypt names from a large space Expose or enclose nondeterminism Counterexample
46 Trusted Information flow policy Bug Counterexample Interface specification SMT Nickel verifier Observation function
47 Trusted Information flow policy Bug Counterexample Interface specification SMT Nickel verifier Observation function
48 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Observation function
49 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Verified Observation function
50 Outline New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks
51 Decentralized information flow control (DIFC) Flexible mechanism to enforce security policies [SOSP 97] Each object assigned labels for tracking and mediating data access Several operating system kernels enforce DIFC: Asbestos [SOSP 05] HiStar [OSDI 06] Flume [SOSP 07] Our goal: Build a DIFC OS kernel without any covert channels
52 NiStar: First verified DIFC OS Resembles an exokernel with finite interface design 46 system calls and exception handlers Supports musl C stdlib using Linux emulation, file system, lwip network service Enforces information flow among small number of object types Labels, containers, threads, gates, page-table pages, user pages, quanta Each object is assigned three labels: Secrecy S, integrity I, ownership O Simple policy: Given two objects with domains L 1 and L 2 : L 1 = S 1, I 1, O 1, L 2 = S 2, I 2, O 2 L 1 L 2 (S 1 O 1 S 2 O 2 ) (I 2 O 2 I 1 O 1 )
53 NiStar Scheduler New object types to close channel in scheduler NiStar closes logical time channel in scheduler
54 Other systems Subset of ARINC 653 Industrial standard for avionics systems Reproduced three known bugs in the specification NiKOS: Small Unix-like OS kernel mirroring mcertikos [PLDI 16] Process isolation policy
55 Implementation Component NiStar NiKOS ARINC 653 Information flow policy Interface specification Observational equivalence Interface implementation 3, User-space implementation 9, Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)
56 Implementation Component NiStar NiKOS ARINC 653 Information flow policy Interface specification Observational equivalence Interface implementation 3, User-space implementation 9, Common kernel infrastructure 4,829 (shared by NiStar / NiKOS) Concise policy
57 Low proof burden NiStar: Six months for the first prototype implementation Six weeks on verification NiKOS: two weeks ARINC 653: one week
58 Conclusion Verification-driven interface design Systematic way to design secure interfaces Interactive workflow with counterexample-based debugging First verified DIFC system Low proof burden
Nickel: A framework for design and verification of information flow control systems
Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New
More informationNickel: A Framework for Design and Verification of Information Flow Control Systems
Nickel: A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang University of Washington
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationDesigning Systems for Push-Button Verification
Designing Systems for Push-Button Verification Luke Nelson, Helgi Sigurbjarnarson, Xi Wang Joint work with James Bornholt, Dylan Johnson, Arvind Krishnamurthy, EminaTorlak, Kaiyuan Zhang Formal verification
More informationPush-Button Verification of File Systems
1 / 24 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington 2 / 24 File systems are hard to get right Complex
More informationPush-Button Verification of File Systems
1 / 25 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington October 26, 2016 2 / 25 File systems are hard
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang University of Washington {lukenels,helgi,kaiyuanz,dgj16,bornholt,emina,xi}@cs.washington.edu
More informationA Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees
A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees by Bruno Castro-Karney Supervised by Xi Wang A senior thesis submitted in partial fulfillment of the requirements for the degree of Bachelor
More informationInformation Flow Control For Standard OS Abstractions
Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline
More informationPractical DIFC Enforcement on Android
Practical DIFC Enforcement on Android Adwait Nadkarni 1, Benjamin Andow 1, William Enck 1, Somesh Jha 2 1 North Carolina State University 2 University of Wisconsin-Madison The new Modern Operating Systems
More information8.3 Mandatory Flow Control Models
8.3 Mandatory Flow Control Models Mingsen Xu Advanced Operating System 2011-10-26 Outline Mandatory Flow Control Models - Information Flow Control - Lattice Model - Multilevel Security Model - Bell-Lapadula
More informationLabels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
More informationTopics in Systems and Program Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and
More informationKomodo: Using Verification to Disentangle Secure-Enclave Hardware from Software
Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon
More informationGerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish
Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Thomas Sewell Harvey Tuch Simon Winwood 1 microkernel
More informationCS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility
CS590U Access Control: Theory and Practice Lecture 5 (January 24) Noninterference and Nondeducibility Security Policies and Security Models J.A.Goguen and J.Meseguer Oakland 1982 Distinction Between Models
More informationThe Evolution of Secure Operating Systems
The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Operating Systems
More informationOperating System Kernels
Operating System Kernels Presenter: Saikat Guha Cornell University CS 614, Fall 2005 Operating Systems Initially, the OS was a run-time library Batch ( 55 65): Resident, spooled jobs Multiprogrammed (late
More informationDIFC Programs by Automatic Instrumentation
DIFC Programs by Automatic Instrumentation William R. Harris Univ. of Wisconsin, Madison Dept. of Computer Sciences wrharris@cs.wisc.edu Somesh Jha Univ. of Wisconsin, Madison Dept. of Computer Sciences
More informationLanguage-Based Information- Flow Security
Language-Based Information- Flow Security Andrei Sabelfeld Andrew C. Myers Presented by Shiyi Wei About the paper Literature review Information flow security Static program analysis to enforce information-flow
More informationExplicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious
More informationDIFC Programs by Automatic Instrumentation
DIFC Programs by Automatic Instrumentation William R. Harris Univ. of Wisconsin, Madison Dept. of Computer Sciences wrharris@cs.wisc.edu Somesh Jha Univ. of Wisconsin, Madison Dept. of Computer Sciences
More informationECE519 Advanced Operating Systems
IT 540 Operating Systems ECE519 Advanced Operating Systems Prof. Dr. Hasan Hüseyin BALIK (4 th Week) (Advanced) Operating Systems 4. Threads Processes and Threads Types of Threads Multicore and Multithreading
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationApplying MILS to multicore avionics systems
Applying MILS to multicore avionics systems Eur Ing Paul Parkinson FIET Principal Systems Architect, A&D EuroMILS Workshop, Prague, 19 th January 2016 2016 Wind River. All Rights Reserved. Agenda A Brief
More informationTopics in Systems and Program Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and
More information(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt
Verification (See related materials in textbook.) Outline What are the goals of verification? What are the main approaches to verification? What kind of assurance do we get through testing? How can testing
More informationHAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,
HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008, Chicago Component Security Integration John Rushby Computer
More informationVerifying Information Flow Control Over Unbounded Processes
Verifying Information Flow Control Over Unbounded Processes William R. Harris 1, Nicholas A. Kidd 1, Sagar Chaki 2, Somesh Jha 1, and Thomas Reps 1,3 1 University of Wisconsin; {wrharris, kidd, jha, reps}@cs.wisc.edu
More informationPush-button verification of Files Systems via Crash Refinement
Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare
More information1/16/17. Computer Programs and Processes. PHYSICAL: damage from either tampering, misuse, theft of equipment, or any combination of these
Computer System Security Threats Computer and Processes CSC362, Information Security PHYSICAL: damage from either tampering, misuse, theft of equipment, or any combination of these OPERATIONAL: outsiders
More informationFlexible Dynamic Information Flow Control in Haskell
Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C. Mitchell 1 David Mazières 1 1 2 Haskell 11 www.scs.stanford.edu/ deian/lio Introduction Motivation Motivation
More informationOperating Systems (2INC0) 2018/19. Introduction (01) Dr. Tanir Ozcelebi. Courtesy of Prof. Dr. Johan Lukkien. System Architecture and Networking Group
Operating Systems (2INC0) 20/19 Introduction (01) Dr. Courtesy of Prof. Dr. Johan Lukkien System Architecture and Networking Group Course Overview Introduction to operating systems Processes, threads and
More informationMC: Meta-level Compilation
MC: Meta-level Compilation Extending the Process of Code Compilation with Application-Specific Information for the layman developer (code monkey) Gaurav S. Kc 8 th October, 2003 1 Outline Dawson Engler
More informationPorting Hyperkernel to the ARM Architecture
Technical Report UW-CSE-17-08-02 Porting Hyperkernel to the ARM Architecture Dylan Johnson University of Washington dgj16@cs.washington.edu Keywords ARM, AArch64, Exokernel, Operating Systems, Virtualization
More informationActive Testing for Concurrent Programs
Active Testing for Concurrent Programs Pallavi Joshi, Mayur Naik, Chang-Seo Park, Koushik Sen 12/30/2008 ROPAS Seminar ParLab, UC Berkeley Intel Research Overview ParLab The Parallel Computing Laboratory
More informationOperating System Overview. Chapter 2
Operating System Overview Chapter 2 1 Operating System A program that controls the execution of application programs An interface between applications and hardware 2 Operating System Objectives Convenience
More informationSimplifying the Development and Debug of 8572-Based SMP Embedded Systems. Wind River Workbench Development Tools
Simplifying the Development and Debug of 8572-Based SMP Embedded Systems Wind River Workbench Development Tools Agenda Introducing multicore systems Debugging challenges of multicore systems Development
More informationAnnouncements Processes: Part II. Operating Systems. Autumn CS4023
Operating Systems Autumn 2018-2019 Outline Announcements 1 Announcements 2 Announcements Week04 lab: handin -m cs4023 -p w04 ICT session: Introduction to C programming Outline Announcements 1 Announcements
More informationLecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5.
Lecture Topics Today: Threads (Stallings, chapter 4.1-4.3, 4.6) Next: Concurrency (Stallings, chapter 5.1-5.4, 5.7) 1 Announcements Make tutorial Self-Study Exercise #4 Project #2 (due 9/20) Project #3
More informationActive Testing for Concurrent Programs
Active Testing for Concurrent Programs Pallavi Joshi Mayur Naik Chang-Seo Park Koushik Sen 1/8/2009 ParLab Retreat ParLab, UC Berkeley Intel Research Overview Checking correctness of concurrent programs
More informationFor use by students enrolled in #71251 CSE430 Fall 2012 at Arizona State University. Do not use if not enrolled.
Operating Systems: Internals and Design Principles Chapter 4 Threads Seventh Edition By William Stallings Operating Systems: Internals and Design Principles The basic idea is that the several components
More informationOperating Systems Structure and Processes Lars Ailo Bongo Spring 2017 (using slides by Otto J. Anshus University of Tromsø/Oslo)
Operating Systems Structure and Processes Lars Ailo Bongo Spring 2017 (using slides by Otto J. Anshus University of Tromsø/Oslo) The Architecture of an OS Monolithic Layered Virtual Machine, Library, Exokernel
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationSecuring Distributed Systems with Information Flow Control
Securing Distributed Systems with Information Flow Control Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières Stanford University ABSTRACT Recent operating systems [12, 21, 26] have shown that
More informationAdvanced Systems Security: Securing Commercial Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018
Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018 Basic Information Lecture Schedule: Course begins today! Course ends on June 1 st Lecture slots: Tuesday, 08.00 am 10.00
More informationSystems 2020 Strategic Initiative Overview
Systems 2020 Strategic Initiative Overview Kristen Baldwin ODDR&E/Systems Engineering 13 th Annual NDIA Systems Engineering Conference San Diego, CA October 28, 2010 Oct 2010 Page-1 DISTRIBUTION STATEMENT
More informationOS Extensibility: SPIN and Exokernels. Robert Grimm New York University
OS Extensibility: SPIN and Exokernels Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? OS Abstraction Barrier
More informationPlugging Side-Channel Leaks with Timing Information Flow Control
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://bford.info/ Abstract The cloud model s dependence on massive parallelism and resource sharing exacerbates
More information9.5 Equivalence Relations
9.5 Equivalence Relations You know from your early study of fractions that each fraction has many equivalent forms. For example, 2, 2 4, 3 6, 2, 3 6, 5 30,... are all different ways to represent the same
More informationARM TrustZone for ARMv8-M for software engineers
ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,
More informationExtending Model-Based Design for HW/SW Design and Verification in MPSoCs Jim Tung MathWorks Fellow
Extending Model-Based Design for HW/SW Design and Verification in MPSoCs Jim Tung MathWorks Fellow jim@mathworks.com 2014 The MathWorks, Inc. 1 Model-Based Design: From Concept to Production RESEARCH DESIGN
More informationProcess Description and Control
Process Description and Control B.Ramamurthy 1/28/02 B.Ramamurthy 1 Introduction The fundamental task of any operating system is process management. OS must allocate resources to processes, enable sharing
More informationOperating System Architecture. CS3026 Operating Systems Lecture 03
Operating System Architecture CS3026 Operating Systems Lecture 03 The Role of an Operating System Service provider Provide a set of services to system users Resource allocator Exploit the hardware resources
More informationUtilizing Linux Kernel Components in K42 K42 Team modified October 2001
K42 Team modified October 2001 This paper discusses how K42 uses Linux-kernel components to support a wide range of hardware, a full-featured TCP/IP stack and Linux file-systems. An examination of the
More informationHigh-Level Small-Step Operational Semantics for Software Transactions
High-Level Small-Step Operational Semantics for Software Transactions Katherine F. Moore Dan Grossman The University of Washington Motivating Our Approach Operational Semantics Model key programming-language
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationInformation Security CS526
Information Security CS 526 Topic 20: Non-interference and Nondeducibility 1 Optional Readings for This Lecture Security Policies and Security Models. J.A.Goguen and J.Meseguer. Oakland 1982 Non-deducibility
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationMaking Information Flow Explicit in HiStar
Making Information Flow Explicit in HiStar Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières Stanford and UCLA ABSTRACT HiStar is a new operating system designed to minimize the
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationAdvanced Systems Security: Cloud Computing Security
Advanced Systems Security: Cloud Computing Security Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Cloudy Foundations Can customers move their services
More informationARINC653 toolset: Ocarina, Cheddar and POK
ARINC653 toolset: Ocarina, Cheddar and POK Julien Delange Laurent Pautet 09/11/09 Context ARINC653 systems Layered architecture Enforce isolation across partitions High-integrity,
More informationVerifiable Security Goals
C H A P T E R 5 Verifiable Security Goals 57 In this chapter, we examine access control models that satisfy the mandatory protection system of Definition 2.4 in Chapter 2. A mandatory protection system
More informationInformation Flow Control for Standard OS Abstractions
Information Flow Control for Standard OS Abstractions Maxwell Krohn Alexander Yip Micah Brodsky Natan Cliffer M. Frans Kaashoek Eddie Kohler Robert Morris MIT CSAIL UCLA http://flume.csail.mit.edu/ ABSTRACT
More informationSecure Sharing of an ICT Infrastructure Through Vinci
Secure Sharing of an ICT Infrastructure Through Vinci Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa, Italy 2 Department of Computer Science, University of Pisa,
More informationUsing a Certified Hypervisor to Secure V2X communication
SYSGO AG PUBLIC 1 Using a Certified Hypervisor to Secure V2X communication Author(s): Date: Version Chris Berg 08/05/2017 v1.1 SYSGO AG PUBLIC 2 Protecting Assets People started protecting their assets
More informationThe Evolution of Secure Operating Systems
The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Operating Systems
More informationW4118 Operating Systems. Junfeng Yang
W4118 Operating Systems Junfeng Yang What is a process? Outline Process dispatching Common process operations Inter-process Communication What is a process Program in execution virtual CPU Process: an
More informationF. Tip and M. Weintraub FUNCTIONAL TESTING
F. Tip and M. Weintraub FUNCTIONAL TESTING ACKNOWLEDGEMENTS Thanks go to Andreas Zeller for allowing incorporation of his materials 2 HOW TO TELL IF A SYSTEM MEETS EXPECTATIONS? Two options: 1. testing:
More informationVerifying Information Flow Control Over Unbounded Processes
Verifying Information Flow Control Over Unbounded Processes William R. Harris 1, Nicholas A. Kidd 1, Sagar Chaki 2, Somesh Jha 1, and Thomas Reps 1,3 1 University of Wisconsin; {wrharris, kidd, jha, reps}@cs.wisc.edu
More informationProcesses and Threads
COS 318: Operating Systems Processes and Threads Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318 Today s Topics u Concurrency
More informationQualifying exam: operating systems, 1/6/2014
Qualifying exam: operating systems, 1/6/2014 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always
More informationThe Performance of µ-kernel-based Systems
Liedtke et al. presented by: Ryan O Connor October 7 th, 2009 Motivation By this time (1997) the OS research community had virtually abandoned research on pure µ-kernels. due primarily
More informationFormal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino
Formal Methods and their role in Software and System Development Riccardo Sisto, Politecnico di Torino What are Formal Methods? Rigorous (mathematical) methods for modelling and analysing (computer-based)
More informationCS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CS 6403 - SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS 1. Explain iterative waterfall and spiral model for software life cycle and various activities
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationVirtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018
Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018 Today s Papers Disco: Running Commodity Operating Systems on Scalable Multiprocessors, Edouard
More informationModel-Based Engineering for the Development of ARINC653 Architectures
Model-Based Engineering for the Development of ARINC653 Architectures SAE 2009 AeroTech Congress and Exhibition Julien Delange Olivier Gilles Jérôme Hugues Laurent Pautet Context ARINC653 systems Time
More informationCONTENTS. Computer-System Structures
CONTENTS PART ONE OVERVIEW Chapter 1 Introduction 1.1 What Is an Operating System? 3 1.2 Simple Batch Systems 6 1.3 Multiprogrammed Batched Systems 8 1.4 Time-Sharing Systems 9 1.5 Personal-Computer Systems
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationNested Virtualization and Server Consolidation
Nested Virtualization and Server Consolidation Vara Varavithya Department of Electrical Engineering, KMUTNB varavithya@gmail.com 1 Outline Virtualization & Background Nested Virtualization Hybrid-Nested
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2011 Quiz I Solutions There are 10 questions and 12 pages in this
More informationRoadmap. Tevfik Ko!ar. CSC Operating Systems Spring Lecture - III Processes. Louisiana State University. Virtual Machines Processes
CSC 4103 - Operating Systems Spring 2008 Lecture - III Processes Tevfik Ko!ar Louisiana State University January 22 nd, 2008 1 Roadmap Virtual Machines Processes Basic Concepts Context Switching Process
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationLecture 4: Bell LaPadula
CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula References:
More informationOperating Systems: Internals and Design Principles. Chapter 4 Threads Seventh Edition By William Stallings
Operating Systems: Internals and Design Principles Chapter 4 Threads Seventh Edition By William Stallings Operating Systems: Internals and Design Principles The basic idea is that the several components
More informationThe modularity requirement
The modularity requirement The obvious complexity of an OS and the inherent difficulty of its design lead to quite a few problems: an OS is often not completed on time; It often comes with quite a few
More informationOperating Systems. Computer Science & Information Technology (CS) Rank under AIR 100
GATE- 2016-17 Postal Correspondence 1 Operating Systems Computer Science & Information Technology (CS) 20 Rank under AIR 100 Postal Correspondence Examination Oriented Theory, Practice Set Key concepts,
More informationChapter 2 Operating System Overview
True / False Questions: Chapter 2 Operating System Overview 1. T / F An operating system controls the execution of applications and acts as an interface between applications and the computer hardware.
More informationIntroduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1
Introduction COMP9242 2008/S2 Week 1 2008 Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1 Copyright Notice These slides are distributed under the Creative Commons
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Unit Testing Emina Torlak emina@cs.washington.edu Outline Software quality control Effective unit testing Coverage
More information5 Lecture: Intro. to Concurrency
5 Lecture: Intro. to Concurrency Outline: Announcements Onwards The Process Model: a little deeper Pseudoparallelism and nondeterminism Possible process states Scheduling What about IPC? Operating System
More informationAutomated Debugging In Data Intensive Scalable Computing Systems
Automated Debugging In Data Intensive Scalable Computing Systems Muhammad Ali Gulzar 1, Matteo Interlandi 3, Xueyuan Han 2, Mingda Li 1, Tyson Condie 1, and Miryung Kim 1 1 University of California, Los
More informationMILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho
MILS Multiple Independent Levels of Security Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho United states December 8, 2005 Taylor, ACSAC Presentation 2 Outline Introduction and Motivation
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationECE 587 Hardware/Software Co-Design Lecture 11 Verification I
ECE 587 Hardware/Software Co-Design Spring 2018 1/23 ECE 587 Hardware/Software Co-Design Lecture 11 Verification I Professor Jia Wang Department of Electrical and Computer Engineering Illinois Institute
More information