[HTML][HTML] Operationally proving memory access violations in Isabelle/HOL
Security-critical applications often rely on memory isolation mechanisms to ensure integrity
of critical data (eg, keys) and program instructions (eg, implementing an attestation protocol).
These include software-based security microvisor S μV or hardware-based (eg, TrustLite or
SMART) techniques. Here, we must guarantee that during an execution of a program, none
of the assembly-level instructions corresponding to the program violate the imposed memory
access restrictions. We focus on two security architectures (S μV and TrustLite). We use …
of critical data (eg, keys) and program instructions (eg, implementing an attestation protocol).
These include software-based security microvisor S μV or hardware-based (eg, TrustLite or
SMART) techniques. Here, we must guarantee that during an execution of a program, none
of the assembly-level instructions corresponding to the program violate the imposed memory
access restrictions. We focus on two security architectures (S μV and TrustLite). We use …
Abstract
Security-critical applications often rely on memory isolation mechanisms to ensure integrity of critical data (e.g., keys) and program instructions (e.g., implementing an attestation protocol). These include software-based security microvisor S μV or hardware-based (e.g., TrustLite or SMART) techniques. Here, we must guarantee that during an execution of a program, none of the assembly-level instructions corresponding to the program violate the imposed memory access restrictions. We focus on two security architectures (S μV and TrustLite). We use Binary Analysis Platform (BAP) to generate assembly-level code in an intermediate language (BIL) for a compiled C program. This is then translated to Isabelle/HOL theories. We develop an operational semantics by defining a collection of transition rules for a subset of BIL (called AIRv2) that is sufficient for our work. We develop an adversary model and define conformance predicates for each assembly-level instruction. A conformance predicate holds iff the associated memory access restriction imposed by the underlying security architecture is satisfied. We generate a set of programs covering all possible cases in which an assembly-level instruction attempts to violate at least one of the conformance predicates. For S μV, we capture all such violations not only by checking specific lines of the program but also by applying the operational semantics for every machine-state transition. This shows that the memory access restrictions of S μV is operationally maintained. For TrustLite, we capture all such violations by checking specific lines of the program. Also, we provide an example to show how we can use the operational semantics to capture such violations.
Elsevier
Showing the best result for this search. See all results