ni nickel
play

Ni Nickel A Framework for Design and Verification of Information - PowerPoint PPT Presentation

Dec 25, 2023 •423 likes •1.02k views

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

  1. Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org

  2. Enforcing information flow control is critical

  4. Covert channels through error codes

  5. Eliminating unintended flows is difficult • Covert channels: A channel not intended for information flow [Lampson ‘73] • Covert channels are often inherent in interface design • Examples of covert channels in interfaces: • ARINC 653 avionics standard [TACAS ‘16] • Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

  6. Eliminating unintended flows is difficult • Covert channels: A channel not intended for information flow [Lampson ‘73] • Covert channels are often inherent in interface design • Examples of covert channels in interfaces: • ARINC 653 avionics standard [TACAS ‘16] • Floating labels in Asbestos [Oakland ‘09, OSDI ‘06]

  7. Our approach: Verification-driven interface design Verify interface Specify policy Design interface against policy Counterexample • Extends prior work of push-button verification: • Yggdrasil [ OSDI ‘ 16] & Hyperkernel [ SOSP ‘17 ] • Limitations • Finite interface, expressible using SMT. • Hardware-based side channels not in scope and no concurrency.

  8. Contributions • New formulation and proof strategy for noninterference • Nickel : A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

  9. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation Process 1 Process 2

  10. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2

  11. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1

  12. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1 spawn → 3+1 … 2 1 spawn → 3+5

  13. Covert channel in resource names Policy: Process 1 and Process 2 should not communicate Design: Spawn with sequential PID allocation 5 Process 1 Process 2 spawn → 3 1 1 spawn → 3+1 … 2 1 spawn → 3+5 spawn → 3+ 5 +1 3 1

  14. Covert channel in resource names Examples of covert channels Policy: Thread 1 and Thread 2 should not communicate • Resource names Design: Spawn with sequential PID allocation • Resource exhaustion 5 Thread 1 Thread 2 • Statistical information spawn → 3 1 1 • Error handling spawn → 3+1 • Scheduling … 2 1 spawn → 3+5 • Devices and services spawn → 3+ 5 +1 3 1

  15. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times

  16. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times Process 2: Process 2: spawn → 3 spawn → 4

  17. Noninterference intuition Process 2: Process 1: Process 2: spawn → 3 spawn → 9 spawn 5 times Process 2: Process 2: spawn → 3 spawn → 4 Process 1 interferes with Process 2

  18. Information flow policies in Nickel • Set of domains 𝒠 : e.g., processes • Can-flow-to relation ⇝ ⊆ (𝒠 × 𝒠) : permitted flow between domains • Function dom: (𝐵 × 𝑇) → 𝒠 : maps an action and state to a domain

  19. Information flow policies in Nickel • Set of domains 𝒠 : e.g., processes Flexible definition enables broad set of policies • Can-flow-to relation ⇝ ⊆ (𝒠 × 𝒠) : permitted flow between domains • Can-flow-to relation can be intransitive • State dependent dom • Function dom: (𝐵 × 𝑇) → 𝒠 : maps an action and state to a domain

  20. Noninterference definition sources 𝜗, 𝑣, 𝑡 ≔ 𝑣 sources 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 ≔ ቐsources 𝑢𝑠, 𝑣, step 𝑡, 𝑏 ∪ dom 𝑏, 𝑡 if ∃𝑤 ∈ sources(𝑢𝑠, 𝑣, step 𝑡, 𝑏 . dom 𝑏, 𝑡 ⇝ 𝑣 sources 𝑢𝑠, 𝑣, step 𝑡, 𝑏 otherwise purge 𝜗, 𝑣, 𝑡 ≔ 𝜗 𝑢𝑠 ′ ∈ purge 𝑢𝑠, 𝑣, step 𝑡, 𝑏 ≔ ቐ 𝑏 ∘ tr ′ } if dom 𝑏, 𝑡 ∈ sources 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 purge 𝑏 ∘ 𝑢𝑠, 𝑣, 𝑡 𝑢𝑠 ′ ∈ purge 𝑢𝑠, 𝑣, step 𝑡, 𝑏 𝑏 ∘ tr ′ } ∪ purge(𝑢𝑠, 𝑣, 𝑡) otherwise ∀ 𝑢𝑠 ′ ∈ purge 𝑢𝑠, dom 𝑏, run init,𝑢𝑠 ,init . output run init,𝑢𝑠 ,𝑏 = output run(init,𝑢𝑠 ′ ,𝑏)

  21. Given a policy, purging actions “irrelevant” to a domain should not affect the output of the actions for that domain

  22. Automated verification of noninterference • ℐ init ∧ ℐ 𝑡 ⇒ ℐ step 𝑡, 𝑏 𝑣 is reflexive, symmetric, and transitive • ≈ 𝑣 𝑢 ⇒ (dom 𝑏, 𝑡 ⇝ 𝑣 ⇔ dom 𝑏, 𝑢 ⇝ 𝑣) • ℐ 𝑡 ∧ ℐ 𝑢 ∧ 𝑡 ≈ 𝑣 step(𝑡,𝑏) • ℐ 𝑡 ∧ dom 𝑏, 𝑡 ⇝ 𝑣 ⇒ s ≈

  23. Automated verification of noninterference • ℐ init ∧ ℐ 𝑡 ⇒ ℐ step 𝑡, 𝑏 𝑣 is reflexive, symmetric, and transitive • ≈ Proof strategy: unwinding conditions • Together imply noninterference 𝑣 𝑢 ⇒ (dom 𝑏, 𝑡 ⇝ 𝑣 ⇔ dom 𝑏, 𝑢 ⇝ 𝑣) • Requires reasoning only about individual actions • ℐ 𝑡 ∧ ℐ 𝑢 ∧ 𝑡 ≈ • Amenable to automated reasoning using SMT 𝑣 step(𝑡,𝑏) • ℐ 𝑡 ∧ dom 𝑏, 𝑡 ⇝ 𝑣 ⇒ s ≈

  24. Outline • New formulation and proof strategy for noninterference • Nickel: A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

  25. Verification-driven interface design in Nickel 1 2 3 Verify interface Specify policy Design interface against policy Counterexample

  26. Verification-driven interface design in Nickel 1 2 3 Verify interface Specify policy Design interface against policy Counterexample 5 4 Verify implementation Implement against interface interface

  27. Trusted Information flow policy Interface specification Observation function

  28. Trusted Information flow Policy: policy n processes that are not allowed to communicate with each other Interface specification ... pid 1 pid 2 pid n Observation function

  29. Trusted Information flow policy Interface specification Observation function

  30. Trusted Information flow policy Interface specification Observation function

  31. Trusted Information flow policy Interface specification Observation function

  32. Trusted Information flow policy Interface specification Observation function

  33. Trusted Information flow policy Interface specification Observation function

  34. Trusted Information flow policy Interface specification Observation function

  35. Trusted Information flow policy Interface specification Observation function

  36. Trusted Information flow policy Interface specification Observation function

  37. Trusted Information flow policy Interface specification Observation function

  38. Trusted Information flow policy Interface specification Observation function

  39. Trusted Information flow policy Interface specification Observation function

  40. Trusted Information flow policy Interface specification Observation function

  41. Trusted Information flow policy Interface specification Observation function

  42. Trusted Information flow policy Interface specification Observation function

  43. Trusted Information flow policy Nickel SMT Interface specification verifier Observation function

  44. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Observation function

  45. Counter- Trusted Design patterns example Information flow policy Bug • Partition names among domains • Reduce flows to the scheduler Nickel SMT Interface • Perform flow checks early specification verifier • Limit resource usage with quotas • Encrypt names from a large space Observation function • Expose or enclose nondeterminism

  46. Counter- Trusted example Information flow policy Bug Nickel SMT Interface specification verifier Observation function

  47. Counter- Trusted example Information flow policy Bug Nickel SMT Interface specification verifier Observation function

  48. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Observation function

  49. Counter- Trusted example Information flow policy Channel Nickel SMT Interface specification verifier Verified Observation function

  50. Outline • New formulation and proof strategy for noninterference • Nickel: A framework for design and verification of information flow control (IFC) systems • Experience building three systems using Nickel • First formally verified decentralized IFC OS kernel • Low proof burden: order of weeks

Recommend

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel Conference, Perth 15 October 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel

275 views • 25 slides
POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD & CEO Diggers & Dealers Site Tours August 2019 The Poseidon Proposition BLACK SWAN Ready to restart in less than 9 months at 8,000t nickel p.a. Primed to 3 year

709 views • 22 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD & CEO General Meeting 15 July 2019 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations

582 views • 21 slides
Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but maximum10, minutes) presentation made by a student about a particular companys logistics operations, as collected through their own work

340 views • 3 slides
High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15 October 2019 ASX: SGQ Nickel Market What Changed in 2019 Predictions of a stronger nickel price proven to be correct UBS, Miners Price

223 views • 20 slides
Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost Processing Mambare 2011/12 program discovers high-grade nickel Mambare Plateau: 20km north of Kokoda In 1999 Ananconda District, Oro Province

806 views • 21 slides
The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky State legislature passed a law to establish how school districts can fund their facilities. All school districts had to add a Nickel to their tax

353 views • 17 slides
Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel Nickel Uses of Nickel Industry Consumption (%) Nickel is one of the most commonly used metals and can be 3% found in over 300,000 products for

399 views • 18 slides
POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting - 28 November 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel Limited

275 views • 25 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations encompassing the WAs sulphide

330 views • 21 slides
Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

ASX: RXL Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland - Managing Director 1 Who is Rox? An awarded Australian exploration company Strong Financial Positon: Cash of ~ $13 million & receivables of

553 views • 24 slides
The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David Ovadia Executive Chairman D i s c l a i m e r The information in this presentation, which does not purport to be comprehensive, has been provided

568 views • 8 slides
Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

ASX: MCR Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers Presentation Kalgoorlie August 2018 Important Notice Disclaimer This presentation has been prepared by Mincor Resources NL ( MCR ).

314 views • 20 slides
Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects TSX-V: CNC August 20, 2020 Forward Looking Statements This Presentation contains certain information that may constitute "forward-looking

774 views • 26 slides
Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel

Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel

CYPRUS 2016, 4 th International Conference on Sustainable Solid Waste Management, 23-25 June 2016, Limasol, Cyprus Recovery of metallic nickel from waste sludge produced by electrocoagulation of nickel electroplating effluents K.

444 views • 23 slides
Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects

Introduction to Canada Nickel Company Delivering the Next Generation of Nickel Sulphide Projects TSX-V: CNC May 28, 2020 Forward Looking Statements This Presentation contains certain information that may constitute "forward-looking

450 views • 24 slides
Emerging Class 1 Nickel Producer Investor Roadshow September 2018 Michael Rodriguez, COO &

Emerging Class 1 Nickel Producer Investor Roadshow September 2018 Michael Rodriguez, COO &

Emerging Class 1 Nickel Producer Investor Roadshow September 2018 Michael Rodriguez, COO & Chris Indermaur, Chairman www.poseidon-nickel.com.au ASX:POS Important Notice and Disclaimer This presentation is issued by Poseidon Nickel Limited

286 views • 25 slides
Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el

Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el

Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el Allo loy y Weld ldin ing Wires? s? In the world, there are many grade of welding wires according to their chemical compositions. But,

336 views • 9 slides
West Bear Cobalt-Nickel An Open-Pit Amenable High Grade Cobalt-Nickel Zone Located in the

West Bear Cobalt-Nickel An Open-Pit Amenable High Grade Cobalt-Nickel Zone Located in the

West Bear Cobalt-Nickel An Open-Pit Amenable High Grade Cobalt-Nickel Zone Located in the Worlds Top Mining Jurisdiction Seeking Opportunities to Enhance UEX Shareholder Value Forward Looking Statements FORWARD-LOOKING INFORMATION AND

602 views • 21 slides
DONT FORGET THE NICKEL A SUPPL Y CHAIN ANAL YSIS 1 AABC Europe 2018 Disclaimer BRAZI

DONT FORGET THE NICKEL A SUPPL Y CHAIN ANAL YSIS 1 AABC Europe 2018 Disclaimer BRAZI

BRAZI AZILIAN AN N NICKEL DONT FORGET THE NICKEL A SUPPL Y CHAIN ANAL YSIS 1 AABC Europe 2018 Disclaimer BRAZI AZILIAN AN N NICKEL 2 AABC Europe 2018 Simplified Nickel Market Supply Chain - today BRAZI AZILIAN AN N NICKEL

331 views • 11 slides
Key raw materials nickel, chrome and iron: Limited availability despite sufficient geological

Key raw materials nickel, chrome and iron: Limited availability despite sufficient geological

Oryx Stainless Research Series Key raw materials nickel, chrome and iron: Limited availability despite sufficient geological reserves? What are the relevant criteria for the determination of the criticality of nickel, September 2012

550 views • 30 slides
NICKEL FRAC SAND World-Class, Highest-Quality Shovel-Ready, Frac Sand Product, Sulphide

NICKEL FRAC SAND World-Class, Highest-Quality Shovel-Ready, Frac Sand Product, Sulphide

TSX: Ni One Company, Two Compelling Investment Opportunities NICKEL FRAC SAND World-Class, Highest-Quality Shovel-Ready, Frac Sand Product, Sulphide Nickel Project Large Resource, Cash Flow TSX: Ni March 2015 Victory Nickel Company

487 views • 35 slides
RNC Update Conference Call True North Nickel Transaction Nickel Market Update June 2, 2014

RNC Update Conference Call True North Nickel Transaction Nickel Market Update June 2, 2014

RNC Update Conference Call True North Nickel Transaction Nickel Market Update June 2, 2014 Disclaimer Cautionary Statement Concerning Forward-Looking Statements This presentation contains "forward-looking information" including

431 views • 20 slides
Performa 285 Performa 285 High Alloy Zinc Nickel High Alloy Zinc Nickel Alloy Zinc Automotive

Performa 285 Performa 285 High Alloy Zinc Nickel High Alloy Zinc Nickel Alloy Zinc Automotive

Performa 285 Performa 285 High Alloy Zinc Nickel High Alloy Zinc Nickel Alloy Zinc Automotive Applications Alloy Zinc Automotive Applications Anti-Vibration Components Door Hinges Fasteners Brake Calipers Fluid Delivery Tubes Alkaline

317 views • 18 slides

More recommend