nickel a framework for design and verification of
play

Nickel: A framework for design and verification of information flow - PowerPoint PPT Presentation

Sep 17, 2023 •418 likes •749 views

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

  1. Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day � 1

  2. Motivation: high verification burden • Verification is effective at eliminating bugs • Requires expertise • Large time investment � 2

  3. Approach: push-button verification Crash-safe filesystems (Python) Yggdrasil OSDI 2016 Small OS kernel (C, memory isolation) Hyperkernel SOSP 2017 Information flow control systems Nickel OSDI 2018 � 3

  4. Information flow control systems

  7. Goal: eliminate covert channels from systems • Covert channel (Lampson ’73) : unintended flow between system components • Approach : verification-driven development • Verify noninterference for interface specification • Verify refinement for implementation • Limitations : no physical channels; no concurrency � 7

  8. Contributions • Formulation of noninterference amenable to automated verification • Nickel is a framework for verifying IFC systems. • Applied Nickel to verify systems including • NiStar: first formally verified DIFC OS kernel • ARINC 653 communication interface: avionics kernel standard � 8

  9. Example covert channel: resource names Policy : process A and process B should not communicate Interface : spawn system call returns sequential PIDs Try to violate policy by sending a secret (in this case, 2) to process B 2 Process A Process B � 9

  10. Example covert channel: resource names Policy : process A and process B should not communicate Interface : spawn system call returns sequential PIDs Process A Process B 6-3-1= 2 spawn → 3 spawn → 4 spawn → 5 spawn → 6 � 10

  11. Noninterference intuition Process A Process A Process B Process B spawn → 4 spawn → 5 spawn → 6 spawn → 3 Process B Process B spawn → 4 spawn → 3 � 11

  12. Noninterference intuition Many kinds of covert channels Process A Process A • Resource names and exhaustion Process B Process B spawn → 4 spawn → 5 spawn → 6 spawn → 3 • Statistical information • Error handling • Scheduling Process B Process B • Devices and services spawn → 4 spawn → 3 � 12

  13. Noninterference For any trace tr, action a, removing “irrelevant” actions should not affect the output of a. output ( run ( init , tr ), a ) = output ( run ( init , purge* ( tr , a )), a ) � 13

  14. Information flow policies in Nickel D : Set A set of domains A can-flow-to relation specifying permitted ⇝ ⊆ ( D × D ) flows among domains A function mapping an dom : ( A × S ) → D action in a state to a domain pid 1 pid 2 pid n � 14

  15. Automated verification of noninterference Proof strategy : unwinding conditions • Together imply noninterference • Reason about one action at a time • Amenable to SMT solving using Z3 v I ( s ) ∧ ¬( dom ( a , s ) ⇝ v ) → s ≈ step(s, a) Local respect I ( s ) ∧ I ( t ) ∧ s dom ( a , s ) Output consistency t → output ( s , a ) = output ( t , a ) ≈ ≈ t ∧ s dom ( a , s ) Weak step consistency u u t → step(s, a) ≈ step ( t , a ) I ( s ) ∧ I ( t ) ∧ s ≈ � 15

  16. Nickel workflow Counterexample Design Verify interface Interface Specify interface against policy noninterference policy Counterexample Verify Implement implementation interface against interface Implementation noninterference and functional correctness � 16

  17. Programmer inputs Information flow policy Interface specification Observational equivalence � 17

  18. Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate pid 1 pid 2 pid n � 18

  19. Information flow policy Interface specification Observational equivalence n processes that are not allowed to communicate class State : current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def can_flow_to(domain1, domain2): # Flow only permitted if same domain return domain1 == domain2 def dom(action, state): # Domain of each action is current process return state.current pid 1 pid 2 pid n � 19

  20. Information flow policy Interface specification Observational equivalence def sys_spawn(old): Compute child pid child_pid = old.nr_procs + 1 Precondition for pre = child_pid <= NR_PROCS system call new = old.copy() Update system state new.nr_procs += 1 new.proc_status[child_pid] = RUNNABLE Return new state return pre, If (pre, new, old) � 20

  21. Information flow policy Interface specification Observational equivalence pid 4 State 1 ≈ State 2 current current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] � 21

  22. Information flow policy Interface specification Observational equivalence class State : current = PidT() nr_procs = SizeT() proc_status = Map(PidT, StatusT) def obs_eqv(domain, state1, state2): return And( state1.current == state2.current, state1.nr_procs == state2.nr_procs, state1.proc_status[domain.pid] == state2.proc_status[domain.pid] ) pid 4 State 1 ≈ State 2 current current nr_procs nr_procs proc_status[3] proc_status[3] proc_status[4] proc_status[4] � 22

  23. Systems verified using Nickel Component NiStar NiKOS ARINC 653 Information flow policy 26 14 33 Interface specification 714 82 240 Observational equivalence 127 56 80 Implementation 3,155 343 — User-space implementation 9,348 389 — Common kernel infrastructure 4,829 (shared by NiStar/NiKOS) — � 23

  24. Demo

  25. spawn example pid 1 pid 2 pid n � 25

  26. tainting example send(B, 12) Process A Process B Process C Process D Value: 0 Value: 42 Value: 3 Value: 5 Level: tainted Level: untainted Level: untainted Level: tainted � 26

  27. tainting example send(B, 12) Process A Process B Process C Process D Value: 0 Value: 12 Value: 3 Value: 5 Level: tainted Level: tainted Level: untainted Level: tainted � 27

  28. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: secret_bit send(C, 1) Level: tainted Process B Value: 0 wait(1000) Process C Level: untainted if Value == 0: # secret is 0 Value: 0 else: # secret is 1 Level: untainted � 28

  29. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: 1 send(C, 1) Level: tainted Process B Value: 0 wait(1000) Process C Level: untainted if Value == 0: # secret is 0 Value: 1 else: # secret is 1 Level: untainted send(C, 1) � 29

  30. tainting example Process A if Value == 0: wait(500) send(B, 0) if Level != tainted: Value: 0 send(C, 1) Level: tainted Process B Value: 0 send(B, 0) wait(1000) Process C Level: tainted if Value == 0: # secret is 0 Value: 0 else: # secret is 1 Level: untainted � 30

  31. Thanks! https://nickel.unsat.systems � 31

Recommend

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

VLSI Design Verification and Test Simulation CMPE 646 Design Verification Simulation used for 1) design verification : verify the correctness of the design and 2) test verification. Design verification: Specification Critical or

426 views • 15 slides
POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Paydirt Nickel Conference, Perth 15 October 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel

275 views • 25 slides
Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary for a complete verification tool Allows objects in the verification environment to be extended Needs to express constraints Coverage

946 views • 80 slides
CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test, Fall 2006. 3 credits. Course Instructor: Dr. Jim Plusquellic, Professor of Computer Science &amp; Electrical Engineering Office: ECS 212,

760 views • 3 slides
POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers

POSEIDON NICKEL Primed for the Nickel Revival Rob Dennis, MD &amp; CEO Diggers &amp; Dealers Site Tours August 2019 The Poseidon Proposition BLACK SWAN Ready to restart in less than 9 months at 8,000t nickel p.a. Primed to 3 year

709 views • 22 slides
Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design Verification Design Standards Design Verification Verification Methods Approaches State Machines Program Tracing Program Correctness

499 views • 3 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO

POSEIDON NICKEL Re emerging Australian Nickel Producer Update by Rob Dennis, MD &amp; CEO General Meeting 15 July 2019 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations

582 views • 21 slides
Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but

Nickel Presentation Guidelines Nickel Presentation is a brief (e.g., minimum 5, but maximum10, minutes) presentation made by a student about a particular companys logistics operations, as collected through their own work

340 views • 3 slides
High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15

High-Grade Nickel-Copper Sulphide Project in Western Australia Australian Nickel Conference 15 October 2019 ASX: SGQ Nickel Market What Changed in 2019 Predictions of a stronger nickel price proven to be correct UBS, Miners Price

223 views • 20 slides
Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav

Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav

Validation and Verification Using Spatial Logic Framework for Building Layouts By Abhinav Fatehpuria Vineet Gupta 12/ 6/ 2005 ENPM 643 System Validation &amp; Verification 1 Agenda Background Project Description Floor Plan

340 views • 32 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

Advanced VLSI Design VLSI Simulation CMPE 414/CMSC 691x Overview Design Automation is essential in dealing with the complexity of IC design and verification. There are a wide range of tools available: Analysis and verification tools to

388 views • 16 slides
Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost

Direct Nickel Limited March 2012 abr Emerging Global Nickel Producer with Lowest Cost Processing Mambare 2011/12 program discovers high-grade nickel Mambare Plateau: 20km north of Kokoda In 1999 Ananconda District, Oro Province

806 views • 21 slides
The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky

The Nickel Tax ESTILL COUNTY SCHOOL DISTRICT WHAT IS THE NICKEL? In the 1990s, the Kentucky State legislature passed a law to establish how school districts can fund their facilities. All school districts had to add a Nickel to their tax

353 views • 17 slides
iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline

iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline

iCar iCar Craig Nickel ENSE 623 Design Project December 4, 2007 Outline Outline Introduction Use Case Model System Modeling, Analysis &amp; Design Requirements Specifications &amp; Constraints System Validation &amp;

153 views • 13 slides
Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel

Global Ferronickel Holdings, Inc. Investor Relations Presentation July 2016 Section I. Nickel Nickel Uses of Nickel Industry Consumption (%) Nickel is one of the most commonly used metals and can be 3% found in over 300,000 products for

399 views • 18 slides
POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting -

POSEIDON NICKEL Primed for the Nickel Revival David Riekie, Interim CEO Annual General Meeting - 28 November 2019 Disclaimer This presentation has been prepared for the purpose of providing general information about Poseidon Nickel Limited

275 views • 25 slides
POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1

POSEIDON NICKEL Re emerging Australian Nickel Producer Brokers Presentation June 2019 1 Poseidon Overview Significant Nickel Resource** 44 million Tonnes o 392,000 Ni Tonnes* o Three operations encompassing the WAs sulphide

330 views • 21 slides
Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland -

ASX: RXL Waiting for the Nickel Bounce Australian Nickel Conference 17 October 2017 Ian Mulholland - Managing Director 1 Who is Rox? An awarded Australian exploration company Strong Financial Positon: Cash of ~ $13 million &amp; receivables of

553 views • 24 slides
The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David

The Worlds Next Major Nickel Province? Nickel and PGMs Kalahari Key Ltd Botswana David Ovadia Executive Chairman D i s c l a i m e r The information in this presentation, which does not purport to be comprehensive, has been provided

568 views • 8 slides
PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION DOCUMENTS CONSTRUCTION

PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION DOCUMENTS CONSTRUCTION

9-22-16: 10-6-16 BUILDING PRELIMINARY REVIEW BOARD OF COMMISSION DOCUMENTS COMPLETE REGENTS MEETING. AUTHORITY TO 9-22-16: CONSTRUCT DESIGN REPORT COMPLETE PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION

334 views • 6 slides
Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers

ASX: MCR Dawn of a New Nickel Era Restoring Kambaldas Pre -eminent Position in Nickel Diggers and Dealers Presentation Kalgoorlie August 2018 Important Notice Disclaimer This presentation has been prepared by Mincor Resources NL ( MCR ).

314 views • 20 slides
Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design

Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design

Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design Lab: FRR 3/6/2017 Meeting Agenda Mission Overview Vehicle Design &amp; Verification Payload Design &amp; Verification Launch Results Ground

980 views • 66 slides

More recommend