• DocumentCode
    724648
  • Title

    Micro-Policies: Formally Verified, Tag-Based Security Monitors

  • Author

    De Amorim, Arthur Azevedo ; Denes, Maxime ; Giannarakis, Nick ; Hritcu, Catalin ; Pierce, Benjamin C. ; Spector-Zabusky, Antal ; Tolmach, Andrew

  • fYear
    2015
  • fDate
    17-21 May 2015
  • Firstpage
    813
  • Lastpage
    830
  • Abstract
    Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine" and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety, in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy\´s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.
  • Keywords
    cache storage; inference mechanisms; meta data; security of data; formally verified security monitors; hardware design; hardware rule cache; metadata tags; micro-policies; reasoning; software controller; tag-based reference monitors; tag-based security monitors; Concrete; Hardware; Monitoring; Registers; Safety; Transfer functions;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy (SP), 2015 IEEE Symposium on
  • Conference_Location
    San Jose, CA
  • ISSN
    1081-6011
  • Type

    conf

  • DOI
    10.1109/SP.2015.55
  • Filename
    7163062
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=724648