Helgi Sigurbjarnarson
Size: px
Start display at page:

Download "Helgi Sigurbjarnarson"

Transcription

1 Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang.org

2 Enforcing information flow control is critical

3

4 Covert channels through error codes

5 Eliminating unintended flows is difficult Covert channels: A channel not intended for information flow [Lampson 73] Covert channels are often inherent in interface design Examples of covert channels in interfaces: ARINC 653 avionics standard [TACAS 16] Floating labels in Asbestos [Oakland 09, OSDI 06]

6 Eliminating unintended flows is difficult Covert channels: A channel not intended for information flow [Lampson 73] Covert channels are often inherent in interface design Examples of covert channels in interfaces: ARINC 653 avionics standard [TACAS 16] Floating labels in Asbestos [Oakland 09, OSDI 06]

7 Our approach: Verification-driven interface design Specify policy Design interface Verify interface against policy Counterexample Extends prior work of push-button verification: Yggdrasil [OSDI 16] & Hyperkernel [SOSP 17] Limitations Finite interface, expressible using SMT. Hardware-based side channels not in scope and no concurrency.

8 Contributions New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks

9 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation Process 1 Process 2

10 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2

11 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 1 spawn 3

12 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn 3+1 spawn spawn 3

13 Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn 3+1 spawn spawn 3 13 spawn 3+5+1

14 Covert channel in resource names Policy: Thread 1 and Thread 2 should not communicate Examples of covert channels Design: Spawn with sequential PID allocation Resource names Resource exhaustion 5 Thread 1 Thread 2 Statistical information Error handling spawn 3+1 spawn 3+5 Scheduling 12 Devices and services 1 spawn 3 13 spawn 3+5+1

15 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9

16 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9 Process 2: spawn 3 Process 2: spawn 4

17 Noninterference intuition Process 2: spawn 3 Process 1: spawn 5 times Process 2: spawn 9 Process 2: spawn 3 Process 2: spawn 4 Process 1 interferes with Process 2

18 Information flow policies in Nickel Set of domains D: e.g., processes Can-flow-to relation (D D): permitted flow between domains Function dom: (A S) D: maps an action and state to a domain

19 Information flow policies in Nickel Set of domains D: e.g., processes Flexible definition enables broad set of policies Can-flow-to Can-flow-to relation relation can (D be intransitive D): permitted flow between domains Function State dom: dependent (A dom S) D: maps an action and state to a domain

20 Noninterference definition sources ε, u, s u sources tr, u, step s, a dom a, s if v sources(tr, u, step s, a. dom a, s u sources a tr, u, s ቐ sources tr, u, step s, a otherwise purge ε, u, s ε purge a tr, u, s ቐ a tr tr purge tr, u, step s, a } if dom a, s sources a tr, u, s a tr tr purge tr, u, step s, a } purge(tr, u, s) otherwise tr purge tr, dom a, run init, tr, init. output run init,tr, a = output run(init, tr, a)

21 Given a policy, purging actions irrelevant to a domain should not affect the output of the actions for that domain

22 Automated verification of noninterference I init I s I step s, a u is reflexive, symmetric, and transitive I s I t s u t (dom a, s u dom a, t u) I s dom a, s u s u step(s, a)

23 Automated verification of noninterference I init I s I step s, a u is reflexive, symmetric, and transitive Proof strategy: unwinding conditions Together imply noninterference Requires reasoning only about individual actions Amenable to automated reasoning using SMT I s I t s u t (dom a, s u dom a, t u) I s dom a, s u s u step(s, a)

24 Outline New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks

25 Verification-driven interface design in Nickel 1 Specify policy 2 Design interface 3 Verify interface against policy Counterexample

26 Verification-driven interface design in Nickel 1 Specify policy 2 Design interface 3 Verify interface against policy Counterexample 5 Verify implementation against interface 4 Implement interface

27 Trusted Information flow policy Interface specification Observation function

28 Trusted Information flow policy Interface specification Policy: n processes that are not allowed to communicate with each other pid 1 pid 2... pid n Observation function

29 Trusted Information flow policy Interface specification Observation function

30 Trusted Information flow policy Interface specification Observation function

31 Trusted Information flow policy Interface specification Observation function

32 Trusted Information flow policy Interface specification Observation function

33 Trusted Information flow policy Interface specification Observation function

34 Trusted Information flow policy Interface specification Observation function

35 Trusted Information flow policy Interface specification Observation function

36 Trusted Information flow policy Interface specification Observation function

37 Trusted Information flow policy Interface specification Observation function

38 Trusted Information flow policy Interface specification Observation function

39 Trusted Information flow policy Interface specification Observation function

40 Trusted Information flow policy Interface specification Observation function

41 Trusted Information flow policy Interface specification Observation function

42 Trusted Information flow policy Interface specification Observation function

43 Trusted Information flow policy Interface specification SMT Nickel verifier Observation function

44 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Observation function

45 Trusted Information flow policy Interface specification Observation function SMT Design patterns Bug Partition names among domains Reduce flows to the scheduler Nickel Perform flow checks early verifier Limit resource usage with quotas Encrypt names from a large space Expose or enclose nondeterminism Counterexample

46 Trusted Information flow policy Bug Counterexample Interface specification SMT Nickel verifier Observation function

47 Trusted Information flow policy Bug Counterexample Interface specification SMT Nickel verifier Observation function

48 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Observation function

49 Trusted Information flow policy Channel Counterexample Interface specification SMT Nickel verifier Verified Observation function

50 Outline New formulation and proof strategy for noninterference Nickel: A framework for design and verification of information flow control (IFC) systems Experience building three systems using Nickel First formally verified decentralized IFC OS kernel Low proof burden: order of weeks

51 Decentralized information flow control (DIFC) Flexible mechanism to enforce security policies [SOSP 97] Each object assigned labels for tracking and mediating data access Several operating system kernels enforce DIFC: Asbestos [SOSP 05] HiStar [OSDI 06] Flume [SOSP 07] Our goal: Build a DIFC OS kernel without any covert channels

52 NiStar: First verified DIFC OS Resembles an exokernel with finite interface design 46 system calls and exception handlers Supports musl C stdlib using Linux emulation, file system, lwip network service Enforces information flow among small number of object types Labels, containers, threads, gates, page-table pages, user pages, quanta Each object is assigned three labels: Secrecy S, integrity I, ownership O Simple policy: Given two objects with domains L 1 and L 2 : L 1 = S 1, I 1, O 1, L 2 = S 2, I 2, O 2 L 1 L 2 (S 1 O 1 S 2 O 2 ) (I 2 O 2 I 1 O 1 )

53 NiStar Scheduler New object types to close channel in scheduler NiStar closes logical time channel in scheduler

54 Other systems Subset of ARINC 653 Industrial standard for avionics systems Reproduced three known bugs in the specification NiKOS: Small Unix-like OS kernel mirroring mcertikos [PLDI 16] Process isolation policy

55 Implementation Component NiStar NiKOS ARINC 653 Information flow policy Interface specification Observational equivalence Interface implementation 3, User-space implementation 9, Common kernel infrastructure 4,829 (shared by NiStar / NiKOS)

56 Implementation Component NiStar NiKOS ARINC 653 Information flow policy Interface specification Observational equivalence Interface implementation 3, User-space implementation 9, Common kernel infrastructure 4,829 (shared by NiStar / NiKOS) Concise policy

57 Low proof burden NiStar: Six months for the first prototype implementation Six weeks on verification NiKOS: two weeks ARINC 653: one week

58 Conclusion Verification-driven interface design Systematic way to design secure interfaces Interactive workflow with counterexample-based debugging First verified DIFC system Low proof burden

Similar documents

Nickel: A framework for design and verification of information flow control systems

Nickel: A framework for design and verification of information flow control systems Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New

More information

Nickel: A Framework for Design and Verification of Information Flow Control Systems

Nickel: A Framework for Design and Verification of Information Flow Control Systems Nickel: A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang University of Washington

More information

Hyperkernel: Push-Button Verification of an OS Kernel

Hyperkernel: Push-Button Verification of an OS Kernel Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential

More information

Designing Systems for Push-Button Verification

Designing Systems for Push-Button Verification Designing Systems for Push-Button Verification Luke Nelson, Helgi Sigurbjarnarson, Xi Wang Joint work with James Bornholt, Dylan Johnson, Arvind Krishnamurthy, EminaTorlak, Kaiyuan Zhang Formal verification

More information

Push-Button Verification of File Systems

Push-Button Verification of File Systems 1 / 24 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington 2 / 24 File systems are hard to get right Complex

More information

Push-Button Verification of File Systems

Push-Button Verification of File Systems 1 / 25 Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, Xi Wang University of Washington October 26, 2016 2 / 25 File systems are hard

More information

Hyperkernel: Push-Button Verification of an OS Kernel

Hyperkernel: Push-Button Verification of an OS Kernel Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang University of Washington {lukenels,helgi,kaiyuanz,dgj16,bornholt,emina,xi}@cs.washington.edu

More information

A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees

A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees by Bruno Castro-Karney Supervised by Xi Wang A senior thesis submitted in partial fulfillment of the requirements for the degree of Bachelor

More information

Information Flow Control For Standard OS Abstractions

Information Flow Control For Standard OS Abstractions Information Flow Control For Standard OS Abstractions Maxwell Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris MIT SOSP 2007 Presenter: Lei Xia Mar. 2 2009 Outline

More information

Practical DIFC Enforcement on Android

Practical DIFC Enforcement on Android Practical DIFC Enforcement on Android Adwait Nadkarni 1, Benjamin Andow 1, William Enck 1, Somesh Jha 2 1 North Carolina State University 2 University of Wisconsin-Madison The new Modern Operating Systems

More information

8.3 Mandatory Flow Control Models

8.3 Mandatory Flow Control Models 8.3 Mandatory Flow Control Models Mingsen Xu Advanced Operating System 2011-10-26 Outline Mandatory Flow Control Models - Information Flow Control - Lattice Model - Multilevel Security Model - Bell-Lapadula

More information

Labels and Information Flow

Labels and Information Flow Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation

More information

Topics in Systems and Program Security

Topics in Systems and Program Security Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and

More information

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon

More information

Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish

Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Thomas Sewell Harvey Tuch Simon Winwood 1 microkernel

More information

CS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility

CS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility CS590U Access Control: Theory and Practice Lecture 5 (January 24) Noninterference and Nondeducibility Security Policies and Security Models J.A.Goguen and J.Meseguer Oakland 1982 Distinction Between Models

More information

The Evolution of Secure Operating Systems

The Evolution of Secure Operating Systems The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Operating Systems

More information

Operating System Kernels

Operating System Kernels Operating System Kernels Presenter: Saikat Guha Cornell University CS 614, Fall 2005 Operating Systems Initially, the OS was a run-time library Batch ( 55 65): Resident, spooled jobs Multiprogrammed (late

More information

DIFC Programs by Automatic Instrumentation

DIFC Programs by Automatic Instrumentation DIFC Programs by Automatic Instrumentation William R. Harris Univ. of Wisconsin, Madison Dept. of Computer Sciences wrharris@cs.wisc.edu Somesh Jha Univ. of Wisconsin, Madison Dept. of Computer Sciences

More information

Language-Based Information- Flow Security

Language-Based Information- Flow Security Language-Based Information- Flow Security Andrei Sabelfeld Andrew C. Myers Presented by Shiyi Wei About the paper Literature review Information flow security Static program analysis to enforce information-flow

More information

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious

More information

DIFC Programs by Automatic Instrumentation

DIFC Programs by Automatic Instrumentation DIFC Programs by Automatic Instrumentation William R. Harris Univ. of Wisconsin, Madison Dept. of Computer Sciences wrharris@cs.wisc.edu Somesh Jha Univ. of Wisconsin, Madison Dept. of Computer Sciences

More information

ECE519 Advanced Operating Systems

ECE519 Advanced Operating Systems IT 540 Operating Systems ECE519 Advanced Operating Systems Prof. Dr. Hasan Hüseyin BALIK (4 th Week) (Advanced) Operating Systems 4. Threads Processes and Threads Types of Threads Multicore and Multithreading

More information

Virtual Machine Security

Virtual Machine Security Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal

More information

Applying MILS to multicore avionics systems

Applying MILS to multicore avionics systems Applying MILS to multicore avionics systems Eur Ing Paul Parkinson FIET Principal Systems Architect, A&D EuroMILS Workshop, Prague, 19 th January 2016 2016 Wind River. All Rights Reserved. Agenda A Brief

More information

Topics in Systems and Program Security

Topics in Systems and Program Security Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and

More information

(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt

(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt Verification (See related materials in textbook.) Outline What are the goals of verification? What are the main approaches to verification? What kind of assurance do we get through testing? How can testing

More information

HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,

HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008, HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008, Chicago Component Security Integration John Rushby Computer

More information

Verifying Information Flow Control Over Unbounded Processes

Verifying Information Flow Control Over Unbounded Processes Verifying Information Flow Control Over Unbounded Processes William R. Harris 1, Nicholas A. Kidd 1, Sagar Chaki 2, Somesh Jha 1, and Thomas Reps 1,3 1 University of Wisconsin; {wrharris, kidd, jha, reps}@cs.wisc.edu

More information

Push-button verification of Files Systems via Crash Refinement

Push-button verification of Files Systems via Crash Refinement Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare

More information

1/16/17. Computer Programs and Processes. PHYSICAL: damage from either tampering, misuse, theft of equipment, or any combination of these

1/16/17. Computer Programs and Processes. PHYSICAL: damage from either tampering, misuse, theft of equipment, or any combination of these Computer System Security Threats Computer and Processes CSC362, Information Security PHYSICAL: damage from either tampering, misuse, theft of equipment, or any combination of these OPERATIONAL: outsiders

More information

Flexible Dynamic Information Flow Control in Haskell

Flexible Dynamic Information Flow Control in Haskell Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C. Mitchell 1 David Mazières 1 1 2 Haskell 11 www.scs.stanford.edu/ deian/lio Introduction Motivation Motivation

More information

Operating Systems (2INC0) 2018/19. Introduction (01) Dr. Tanir Ozcelebi. Courtesy of Prof. Dr. Johan Lukkien. System Architecture and Networking Group

Operating Systems (2INC0) 2018/19. Introduction (01) Dr. Tanir Ozcelebi. Courtesy of Prof. Dr. Johan Lukkien. System Architecture and Networking Group Operating Systems (2INC0) 20/19 Introduction (01) Dr. Courtesy of Prof. Dr. Johan Lukkien System Architecture and Networking Group Course Overview Introduction to operating systems Processes, threads and

More information

MC: Meta-level Compilation

MC: Meta-level Compilation MC: Meta-level Compilation Extending the Process of Code Compilation with Application-Specific Information for the layman developer (code monkey) Gaurav S. Kc 8 th October, 2003 1 Outline Dawson Engler

More information

Porting Hyperkernel to the ARM Architecture

Porting Hyperkernel to the ARM Architecture Technical Report UW-CSE-17-08-02 Porting Hyperkernel to the ARM Architecture Dylan Johnson University of Washington dgj16@cs.washington.edu Keywords ARM, AArch64, Exokernel, Operating Systems, Virtualization

More information

Active Testing for Concurrent Programs

Active Testing for Concurrent Programs Active Testing for Concurrent Programs Pallavi Joshi, Mayur Naik, Chang-Seo Park, Koushik Sen 12/30/2008 ROPAS Seminar ParLab, UC Berkeley Intel Research Overview ParLab The Parallel Computing Laboratory

More information

Operating System Overview. Chapter 2

Operating System Overview. Chapter 2 Operating System Overview Chapter 2 1 Operating System A program that controls the execution of application programs An interface between applications and hardware 2 Operating System Objectives Convenience

More information

Simplifying the Development and Debug of 8572-Based SMP Embedded Systems. Wind River Workbench Development Tools

Simplifying the Development and Debug of 8572-Based SMP Embedded Systems. Wind River Workbench Development Tools Simplifying the Development and Debug of 8572-Based SMP Embedded Systems Wind River Workbench Development Tools Agenda Introducing multicore systems Debugging challenges of multicore systems Development

More information

Announcements Processes: Part II. Operating Systems. Autumn CS4023

Announcements Processes: Part II. Operating Systems. Autumn CS4023 Operating Systems Autumn 2018-2019 Outline Announcements 1 Announcements 2 Announcements Week04 lab: handin -m cs4023 -p w04 ICT session: Introduction to C programming Outline Announcements 1 Announcements

More information

Lecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5.

Lecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5. Lecture Topics Today: Threads (Stallings, chapter 4.1-4.3, 4.6) Next: Concurrency (Stallings, chapter 5.1-5.4, 5.7) 1 Announcements Make tutorial Self-Study Exercise #4 Project #2 (due 9/20) Project #3

More information

Active Testing for Concurrent Programs

Active Testing for Concurrent Programs Active Testing for Concurrent Programs Pallavi Joshi Mayur Naik Chang-Seo Park Koushik Sen 1/8/2009 ParLab Retreat ParLab, UC Berkeley Intel Research Overview Checking correctness of concurrent programs

More information

For use by students enrolled in #71251 CSE430 Fall 2012 at Arizona State University. Do not use if not enrolled.

For use by students enrolled in #71251 CSE430 Fall 2012 at Arizona State University. Do not use if not enrolled. Operating Systems: Internals and Design Principles Chapter 4 Threads Seventh Edition By William Stallings Operating Systems: Internals and Design Principles The basic idea is that the several components

More information

Operating Systems Structure and Processes Lars Ailo Bongo Spring 2017 (using slides by Otto J. Anshus University of Tromsø/Oslo)

Operating Systems Structure and Processes Lars Ailo Bongo Spring 2017 (using slides by Otto J. Anshus University of Tromsø/Oslo) Operating Systems Structure and Processes Lars Ailo Bongo Spring 2017 (using slides by Otto J. Anshus University of Tromsø/Oslo) The Architecture of an OS Monolithic Layered Virtual Machine, Library, Exokernel

More information

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Securing Distributed Systems with Information Flow Control

Securing Distributed Systems with Information Flow Control Securing Distributed Systems with Information Flow Control Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières Stanford University ABSTRACT Recent operating systems [12, 21, 26] have shown that

More information

Advanced Systems Security: Securing Commercial Systems

Advanced Systems Security: Securing Commercial Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018 Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018 Basic Information Lecture Schedule: Course begins today! Course ends on June 1 st Lecture slots: Tuesday, 08.00 am 10.00

More information

Systems 2020 Strategic Initiative Overview

Systems 2020 Strategic Initiative Overview Systems 2020 Strategic Initiative Overview Kristen Baldwin ODDR&E/Systems Engineering 13 th Annual NDIA Systems Engineering Conference San Diego, CA October 28, 2010 Oct 2010 Page-1 DISTRIBUTION STATEMENT

More information

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University OS Extensibility: SPIN and Exokernels Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? OS Abstraction Barrier

More information

Plugging Side-Channel Leaks with Timing Information Flow Control

Plugging Side-Channel Leaks with Timing Information Flow Control Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://bford.info/ Abstract The cloud model s dependence on massive parallelism and resource sharing exacerbates

More information

9.5 Equivalence Relations

9.5 Equivalence Relations 9.5 Equivalence Relations You know from your early study of fractions that each fraction has many equivalent forms. For example, 2, 2 4, 3 6, 2, 3 6, 5 30,... are all different ways to represent the same

More information

ARM TrustZone for ARMv8-M for software engineers

ARM TrustZone for ARMv8-M for software engineers ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,

More information

Extending Model-Based Design for HW/SW Design and Verification in MPSoCs Jim Tung MathWorks Fellow

Extending Model-Based Design for HW/SW Design and Verification in MPSoCs Jim Tung MathWorks Fellow Extending Model-Based Design for HW/SW Design and Verification in MPSoCs Jim Tung MathWorks Fellow jim@mathworks.com 2014 The MathWorks, Inc. 1 Model-Based Design: From Concept to Production RESEARCH DESIGN

More information

Process Description and Control

Process Description and Control Process Description and Control B.Ramamurthy 1/28/02 B.Ramamurthy 1 Introduction The fundamental task of any operating system is process management. OS must allocate resources to processes, enable sharing

More information

Operating System Architecture. CS3026 Operating Systems Lecture 03

Operating System Architecture. CS3026 Operating Systems Lecture 03 Operating System Architecture CS3026 Operating Systems Lecture 03 The Role of an Operating System Service provider Provide a set of services to system users Resource allocator Exploit the hardware resources

More information

Utilizing Linux Kernel Components in K42 K42 Team modified October 2001

Utilizing Linux Kernel Components in K42 K42 Team modified October 2001 K42 Team modified October 2001 This paper discusses how K42 uses Linux-kernel components to support a wide range of hardware, a full-featured TCP/IP stack and Linux file-systems. An examination of the

More information

High-Level Small-Step Operational Semantics for Software Transactions

High-Level Small-Step Operational Semantics for Software Transactions High-Level Small-Step Operational Semantics for Software Transactions Katherine F. Moore Dan Grossman The University of Washington Motivating Our Approach Operational Semantics Model key programming-language

More information

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Advanced Systems Security: Principles

Advanced Systems Security: Principles Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Advanced Systems Security: Multics

Advanced Systems Security: Multics Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Information Security CS526

Information Security CS526 Information Security CS 526 Topic 20: Non-interference and Nondeducibility 1 Optional Readings for This Lecture Security Policies and Security Models. J.A.Goguen and J.Meseguer. Oakland 1982 Non-deducibility

More information

Cover Page. The handle holds various files of this Leiden University dissertation

Cover Page. The handle holds various files of this Leiden University dissertation Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue

More information

Making Information Flow Explicit in HiStar

Making Information Flow Explicit in HiStar Making Information Flow Explicit in HiStar Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières Stanford and UCLA ABSTRACT HiStar is a new operating system designed to minimize the

More information

Introduction to Formal Methods

Introduction to Formal Methods 2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette

More information

Advanced Systems Security: Cloud Computing Security

Advanced Systems Security: Cloud Computing Security Advanced Systems Security: Cloud Computing Security Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Cloudy Foundations Can customers move their services

More information

ARINC653 toolset: Ocarina, Cheddar and POK

ARINC653 toolset: Ocarina, Cheddar and POK ARINC653 toolset: Ocarina, Cheddar and POK Julien Delange Laurent Pautet 09/11/09 Context ARINC653 systems Layered architecture Enforce isolation across partitions High-integrity,

More information

Verifiable Security Goals

Verifiable Security Goals C H A P T E R 5 Verifiable Security Goals 57 In this chapter, we examine access control models that satisfy the mandatory protection system of Definition 2.4 in Chapter 2. A mandatory protection system

More information

Information Flow Control for Standard OS Abstractions

Information Flow Control for Standard OS Abstractions Information Flow Control for Standard OS Abstractions Maxwell Krohn Alexander Yip Micah Brodsky Natan Cliffer M. Frans Kaashoek Eddie Kohler Robert Morris MIT CSAIL UCLA http://flume.csail.mit.edu/ ABSTRACT

More information

Secure Sharing of an ICT Infrastructure Through Vinci

Secure Sharing of an ICT Infrastructure Through Vinci Secure Sharing of an ICT Infrastructure Through Vinci Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa, Italy 2 Department of Computer Science, University of Pisa,

More information

Using a Certified Hypervisor to Secure V2X communication

Using a Certified Hypervisor to Secure V2X communication SYSGO AG PUBLIC 1 Using a Certified Hypervisor to Secure V2X communication Author(s): Date: Version Chris Berg 08/05/2017 v1.1 SYSGO AG PUBLIC 2 Protecting Assets People started protecting their assets

More information

The Evolution of Secure Operating Systems

The Evolution of Secure Operating Systems The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Operating Systems

More information

W4118 Operating Systems. Junfeng Yang

W4118 Operating Systems. Junfeng Yang W4118 Operating Systems Junfeng Yang What is a process? Outline Process dispatching Common process operations Inter-process Communication What is a process Program in execution virtual CPU Process: an

More information

F. Tip and M. Weintraub FUNCTIONAL TESTING

F. Tip and M. Weintraub FUNCTIONAL TESTING F. Tip and M. Weintraub FUNCTIONAL TESTING ACKNOWLEDGEMENTS Thanks go to Andreas Zeller for allowing incorporation of his materials 2 HOW TO TELL IF A SYSTEM MEETS EXPECTATIONS? Two options: 1. testing:

More information

Verifying Information Flow Control Over Unbounded Processes

Verifying Information Flow Control Over Unbounded Processes Verifying Information Flow Control Over Unbounded Processes William R. Harris 1, Nicholas A. Kidd 1, Sagar Chaki 2, Somesh Jha 1, and Thomas Reps 1,3 1 University of Wisconsin; {wrharris, kidd, jha, reps}@cs.wisc.edu

More information

Processes and Threads

Processes and Threads COS 318: Operating Systems Processes and Threads Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318 Today s Topics u Concurrency

More information

Qualifying exam: operating systems, 1/6/2014

Qualifying exam: operating systems, 1/6/2014 Qualifying exam: operating systems, 1/6/2014 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always

More information

The Performance of µ-kernel-based Systems

The Performance of µ-kernel-based Systems Liedtke et al. presented by: Ryan O Connor October 7 th, 2009 Motivation By this time (1997) the OS research community had virtually abandoned research on pure µ-kernels. due primarily

More information

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino Formal Methods and their role in Software and System Development Riccardo Sisto, Politecnico di Torino What are Formal Methods? Rigorous (mathematical) methods for modelling and analysing (computer-based)

More information

CS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS

CS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CS 6403 - SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS 1. Explain iterative waterfall and spiral model for software life cycle and various activities

More information

Advanced Systems Security: Principles

Advanced Systems Security: Principles Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018 Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018 Today s Papers Disco: Running Commodity Operating Systems on Scalable Multiprocessors, Edouard

More information

Model-Based Engineering for the Development of ARINC653 Architectures

Model-Based Engineering for the Development of ARINC653 Architectures Model-Based Engineering for the Development of ARINC653 Architectures SAE 2009 AeroTech Congress and Exhibition Julien Delange Olivier Gilles Jérôme Hugues Laurent Pautet Context ARINC653 systems Time

More information

CONTENTS. Computer-System Structures

CONTENTS. Computer-System Structures CONTENTS PART ONE OVERVIEW Chapter 1 Introduction 1.1 What Is an Operating System? 3 1.2 Simple Batch Systems 6 1.3 Multiprogrammed Batched Systems 8 1.4 Time-Sharing Systems 9 1.5 Personal-Computer Systems

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:

More information

Nested Virtualization and Server Consolidation

Nested Virtualization and Server Consolidation Nested Virtualization and Server Consolidation Vara Varavithya Department of Electrical Engineering, KMUTNB varavithya@gmail.com 1 Outline Virtualization & Background Nested Virtualization Hybrid-Nested

More information

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2011 Quiz I Solutions There are 10 questions and 12 pages in this

More information

Roadmap. Tevfik Ko!ar. CSC Operating Systems Spring Lecture - III Processes. Louisiana State University. Virtual Machines Processes

Roadmap. Tevfik Ko!ar. CSC Operating Systems Spring Lecture - III Processes. Louisiana State University. Virtual Machines Processes CSC 4103 - Operating Systems Spring 2008 Lecture - III Processes Tevfik Ko!ar Louisiana State University January 22 nd, 2008 1 Roadmap Virtual Machines Processes Basic Concepts Context Switching Process

More information

RESOURCE MANAGEMENT MICHAEL ROITZSCH

RESOURCE MANAGEMENT MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource

More information

Lecture 4: Bell LaPadula

Lecture 4: Bell LaPadula CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula References:

More information

Operating Systems: Internals and Design Principles. Chapter 4 Threads Seventh Edition By William Stallings

Operating Systems: Internals and Design Principles. Chapter 4 Threads Seventh Edition By William Stallings Operating Systems: Internals and Design Principles Chapter 4 Threads Seventh Edition By William Stallings Operating Systems: Internals and Design Principles The basic idea is that the several components

More information

The modularity requirement

The modularity requirement The modularity requirement The obvious complexity of an OS and the inherent difficulty of its design lead to quite a few problems: an OS is often not completed on time; It often comes with quite a few

More information

Operating Systems. Computer Science & Information Technology (CS) Rank under AIR 100

Operating Systems. Computer Science & Information Technology (CS) Rank under AIR 100 GATE- 2016-17 Postal Correspondence 1 Operating Systems Computer Science & Information Technology (CS) 20 Rank under AIR 100 Postal Correspondence Examination Oriented Theory, Practice Set Key concepts,

More information

Chapter 2 Operating System Overview

Chapter 2 Operating System Overview True / False Questions: Chapter 2 Operating System Overview 1. T / F An operating system controls the execution of applications and acts as an interface between applications and the computer hardware.

More information

Introduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1

Introduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1 Introduction COMP9242 2008/S2 Week 1 2008 Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1 Copyright Notice These slides are distributed under the Creative Commons

More information

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Unit Testing Emina Torlak emina@cs.washington.edu Outline Software quality control Effective unit testing Coverage

More information

5 Lecture: Intro. to Concurrency

5 Lecture: Intro. to Concurrency 5 Lecture: Intro. to Concurrency Outline: Announcements Onwards The Process Model: a little deeper Pseudoparallelism and nondeterminism Possible process states Scheduling What about IPC? Operating System

More information

Automated Debugging In Data Intensive Scalable Computing Systems

Automated Debugging In Data Intensive Scalable Computing Systems Automated Debugging In Data Intensive Scalable Computing Systems Muhammad Ali Gulzar 1, Matteo Interlandi 3, Xueyuan Han 2, Mingda Li 1, Tyson Condie 1, and Miryung Kim 1 1 University of California, Los

More information

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho MILS Multiple Independent Levels of Security Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho United states December 8, 2005 Taylor, ACSAC Presentation 2 Outline Introduction and Motivation

More information

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Model-Driven Verifying Compilation of Synchronous Distributed Applications Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material

More information

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I ECE 587 Hardware/Software Co-Design Spring 2018 1/23 ECE 587 Hardware/Software Co-Design Lecture 11 Verification I Professor Jia Wang Department of Electrical and Computer Engineering Illinois Institute

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback