Title :
Micro-Policies: Formally Verified, Tag-Based Security Monitors
Author :
De Amorim, Arthur Azevedo ; Denes, Maxime ; Giannarakis, Nick ; Hritcu, Catalin ; Pierce, Benjamin C. ; Spector-Zabusky, Antal ; Tolmach, Andrew
Abstract :
Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine" and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety, in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy\´s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.
Keywords :
cache storage; inference mechanisms; meta data; security of data; formally verified security monitors; hardware design; hardware rule cache; metadata tags; micro-policies; reasoning; software controller; tag-based reference monitors; tag-based security monitors; Concrete; Hardware; Monitoring; Registers; Safety; Transfer functions;
Conference_Titel :
Security and Privacy (SP), 2015 IEEE Symposium on
Conference_Location :
San Jose, CA
