Micro-Policies: Formally Verified, Tag-Based Security Monitors
Many of today’s vulnerabilities arise from the violation of known, but in-practice unenforceable, safety and security policies, including high-level programming models and critical invariants of low-level programs. This project is aimed at showing that a wide range of low-level security policies can be efficiently enforced by a mechanism for tag-based hardware-assisted reference monitors we call micro-policies.
The micro-policy enforcement mechanism is low-level and fine-grained: large metadata tags are added to all machine words and these tags are efficiently checked and propagated on each machine instruction. The structure of the tags and the tag checking and propagation rules are defined by software. This provides great flexibility for defining policies and puts no arbitrary limitations on the size of the metadata and the number of policies supported. We have already investigated micro-policies for memory safety, control-flow integrity (CFI), compartment isolation, taint tracking, information-flow control (IFC), and dynamic sealing. Hardware caching of the software’s decision and several targeted micro-architectural optimizations ensure that monitoring imposes modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and chip area (110%).
A crucial part of this project is formally investigating the security guarantees provided by micro-policies. In recent work we introduced a methodology for defining and reasoning about such tag-based reference monitors in terms of a higher-level “symbolic machine.” We used this methodology to define and formally verify micro-policies for IFC, dynamic sealing, compartmentalization, CFI, and memory safety; in addition, we showed how to use the tagging mechanism to protect its own integrity. For each micro-policy, we proved in Coq by refinement that the symbolic machine instantiated with the policy’s rules embodies a high-level specification characterizing a useful security property. For micro-policies such as IFC and CFI we additionally used refinement to transport an extrinsic security property (e.g. non-interference, CFI) to the lowest level.
Many interesting research challenges remain open for micro-policies. While so far we have studied micro-policies in isolation, in practice it is also necessary to study the interactions between micro-policies and the compiler, the linker, the loader, and the operating system (OS). As the first steps in this direction, we have started looking at using micro-policies for efficient fully abstract compilation and for compartmentalizing a tiny OS. Another challenging research question is when can micro-policies be safely composed, so that the guarantees they achieve in isolation are enforced by the composition. Certain micro-policies are known to compose sensibly, and micro-architectural optimizations ensure that they perform well on practical workloads, but the general picture of how to compose micro-policy correctness proofs remains unclear. Finally, our current hardware simulations are done for a single-core in-order RISC processor (an Alpha), while our formal work is for an even simpler idealized RISC. In the future we would like to scale our work to a modern RISC instruction set (e.g. ARM) and more advanced hardware features such as out-of-order execution and even multi-core.
Catalin is a Researcher at Inria Paris where he develops rigorous formal techniques for solving security problems. He is particularly interested in: formal methods for computer and network security (isolation, access control, information-flow control, integrity, security protocols), programming languages (rigorous semantics, type systems, verification, property-based testing, formal metatheory, formally certified tools), and the design and verification of security-critical systems (reference monitors, secure hardware, security-preserving compilers, etc). He received a PhD in Computer Science from Saarland University and afterwards worked for a while as a Research Associate at the University of Pennsylvania.