Results 1  10
of
17
Formal specification and verification of data separation in a separation kernel for an embedded system
 In CCS
, 2006
"... Although many algorithms, hardware designs, and security protocols have been formally verified, formal verification of the security of software is still rare. This is due in large part to the large size of software, which results in huge costs for verification. This paper describes a novel and pract ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
Although many algorithms, hardware designs, and security protocols have been formally verified, formal verification of the security of software is still rare. This is due in large part to the large size of software, which results in huge costs for verification. This paper describes a novel and practical approach to formally establishing the security of code. The approach begins with a welldefined set of security properties and, based on the properties, constructs a compact security model containing only information needed to reason about the properties. Our approach was formulated to provide evidence for a Common Criteria evaluation of an embedded software system which uses a separation kernel to enforce data separation. The paper describes 1) our approach to verifying the kernel code and 2) the artifacts used in the evaluation: a Top Level Specification (TLS) of the kernel behavior, a formal definition of data separation, a mechanized proof that the TLS enforces data separation, code annotated with pre and postconditions and partitioned into three categories, and a formal demonstration
A verifying core for a cryptographic language compiler
 In Manolios, P., Wilding, M., eds.: 6th ACL2 Workshop. (2006
, 2006
"... A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 micropr ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sublanguage of µCryptol that begin after “higherorder ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutuallyrecursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at
Verification Condition Generation via Theorem Proving
 Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2006), Vol. 4246 of LNCS
, 2006
"... Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover di ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover directly on the operational semantics to generate verification conditions analogous to those produced by a custombuilt VCG. Thus no separate VCG is necessary, and the theorem prover can be employed both to generate and to discharge the verification conditions. The method handles both partial and total correctness. It is also compositional in that the correctness of a subroutine needs to be proved once, rather than at each call site. The method has been used to verify several machinelevel programs using the ACL2 theorem prover. 1
A Robust Machine Code Proof Framework for Highly Secure Applications
 In Proceedings of the 2006 ACL2 Workshop
, 2006
"... Securitycritical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of c ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Securitycritical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of correctness of machine code. As part of the Secure, HighAssurance Development Environment program, we have produced in ACL2 an executable formal model of the Rockwell Collins AAMP7G microprocessor at the instruction set level, in order to facilitate proofs of correctness about that processor’s machine code. The AAMP7G, currently in use in Rockwell Collins secure system products, supports strict time and space partitioning in hardware, and has received a U.S. National Security Agency (NSA) Multiple Independent Levels of Security (MILS) certificate based in part on a formal proof of correctness of its separation kernel microcode. Proofs of correctness of AAMP7G machine code are accomplished using the method of “compositional cutpoints”, which requires neither traditional clock functions nor a Verification Condition Generator (VCG). In this paper, we will summarize the AAMP7G architecture, detail our ACL2 model of the processor, and describe our development of the compositional cutpoint method into a robust machine code proof framework.
Integrating External Deduction Tools with ACL2
 Sutcliffe (Eds.), Proceedings of the 6th International Workshop on Implementation of Logics (IWIL 2006
, 2006
"... We present an interface connecting the ACL2 theorem prover with external deduction tools. The logic of ACL2 contains several constructs intended to facilitate structuring of interactive proof development, which complicates the design of such an interface. We discuss some of these complexities and de ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
We present an interface connecting the ACL2 theorem prover with external deduction tools. The logic of ACL2 contains several constructs intended to facilitate structuring of interactive proof development, which complicates the design of such an interface. We discuss some of these complexities and develop a precise specification of the requirements from external tools for sound connection with ACL2. We also develop constructs within ACL2 to enable the developers of external tools to satisfy our specifications. 1
Verification of executable pipelined machines with bitlevel interfaces
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
"... Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, i ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Abstract — We show how to verify pipelined machine models with bitlevel interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, implement a small subset of the instruction set, and are far from executable. In contrast, we focus on verifying executable machines with bitlevel interfaces. Such proofs have previously required substantial expert guidance and the use of deductive reasoning engines. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a term level abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. In this way, we exploit the strengths of ACL2 and UCLID to prove theorems that are not possible to even state using UCLID and that would require prohibitively more effort using just ACL2. I.
Achieving information flow security through monadic control of effects
 JOURNAL OF COMPUTER SECURITY
, 2009
"... This paper advocates a novel approach to the construction of secure software: controlling information flow and maintaining integrity via monadic encapsulation of effects. This approach is constructive, relying on properties of monads and monad transformers to build, verify, and extend secure softwar ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
This paper advocates a novel approach to the construction of secure software: controlling information flow and maintaining integrity via monadic encapsulation of effects. This approach is constructive, relying on properties of monads and monad transformers to build, verify, and extend secure software systems. We illustrate this approach by construction of abstract operating systems called separation kernels. Starting from a mathematical model of sharedstate concurrency based on monads of resumptions and state, we outline the development by stepwise refinements of separation kernels supporting Unixlike system calls, interdomain communication, and a formally verified security policy (domain separation). Because monads may be easily and safely represented within any pure, higherorder, typed functional language, the resulting system models may be directly realized within a language such as Haskell.
Applying Formal Methods to a Certifiably Secure Software System
 IEEE TRANS. ON SOFTWARE ENG
, 2008
"... A major problem in verifying the security of code is that the code’s large size makes it much too costly to verify in its entirety. This paper describes a novel and practical approach to verifying the security of code which substantially reduces the cost of verification. In this approach, a compact ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
A major problem in verifying the security of code is that the code’s large size makes it much too costly to verify in its entirety. This paper describes a novel and practical approach to verifying the security of code which substantially reduces the cost of verification. In this approach, a compact security model containing only information needed to reason about the security properties of interest is constructed and the security properties are represented formally in terms of the model. To reduce the cost of verification, the code to be verified is partitioned into three categories and only the first category, which is less than 10 percent of the code in our application, requires formal verification. The proof of the other two categories is relatively trivial. Our approach was developed to support a Common Criteria evaluation of the separation kernel of an embedded software system. This paper describes 1) our techniques and theory for verifying the kernel code and 2) the artifacts produced, that is, a TopLevel Specification (TLS), a formal statement of the security property, a mechanized proof that the TLS satisfies the property, the partitioning of the code, and a demonstration that the code conforms to the TLS. This paper also presents the formal basis for the argument that the kernel code conforms to the TLS and consequently satisfies the security property.
A Framework for Verifying BitLevel Pipelined Machines Based on Automated Deduction and Decision Procedures
 Journal of Automated Reasoning
, 2006
"... Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision procedures such as those implemented in UCLID can be used to automatically and efficiently verify termlevel pipelined machine models, but these models use numerous abstractions, implement a subset of the instruction set, and are far from executable. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a termlevel abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. We demonstrate the efficiency of our approach by applying it to verify a complex seven stage bitlevel interface pipelined machine model that implements 593 instructions and has features such as branch prediction, exceptions, and predicated instruction execution. Such a proof is not possible using UCLID and would require prohibitively more effort using just ACL2.
An ACL2 library for bags (multisets
 In Proceedings of ACL2’04
, 2004
"... In support of our ongoing ACL2 work, Rockwell Collins has developed a library of definitions and lemmas for bags (or multisets). This paper describes that library. Our early work with bags had the limited purpose of supporting a proof about the AAMP7 microprocessor but contained many nice features, ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
In support of our ongoing ACL2 work, Rockwell Collins has developed a library of definitions and lemmas for bags (or multisets). This paper describes that library. Our early work with bags had the limited purpose of supporting a proof about the AAMP7 microprocessor but contained many nice features, including fancy bindfree and:meta rules for use when more basic rules would be expensive. We have collected the bag definitions and rules into a library and have added many new rules to make the library more widely useful. Work on the library continues. 1