Skip to main content
Springer Nature Link
Log in

Formalising the Prevention of Microarchitectural Timing Channels by Operating Systems

  • Conference paper
  • First Online:
Formal Methods (FM 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14000))

Included in the following conference series:

Abstract

Microarchitectural timing channels are a well-known mechanism for information leakage. Time protection has recently been demonstrated as an operating-system mechanism able to prevent them. However, established theories of information-flow security are insufficient for verifying time protection, which must distinguish between (legal) overt and (illegal) covert flows. We provide a machine-checked formalisation of time protection via a dynamic, observer-relative, intransitive nonleakage property over a careful model of the state elements that cause timing channels. We instantiate and prove our property over a generic model of OS interaction with its users, demonstrating for the first time the feasibility of proving time protection for OS implementations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Ensuring that it does not act as a courier requires very sophisticated reasoning about D, e.g. proving that it obeys constant-time programming discipline [1, 6].

References

  1. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: USENIX Security Symposium, pp. 53–70 (2016)

    Google Scholar 

  2. Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Formally verifying isolation and availability in an idealized model of virtualization. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 231–245. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21437-0_19

    Chapter  Google Scholar 

  3. Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Cache-leakage resilient OS isolation in an idealized model of virtualization. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium, pp. 186–197. IEEE (2012)

    Google Scholar 

  4. Barthe, G., Betarte, G., Campo, J.D., Luna, C.D., Pichardie, D.: System-level non-interference for constant-time cryptography. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 1267–1279. ACM (2014). https://doi.org/10.1145/2660267.2660283

  5. Buckley, S., Sison, R., Klein, G.: An Isabelle/HOL formalisation of microarchitectural timing channel prevention by operating systems - VM artifact and proof release (2022). https://zenodo.org/record/7340166

  6. Cauligi, S., et al.: Constant-time foundations for the new spectre era. In: Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, 15–20 June 2020, pp. 913–926. ACM (2020). https://doi.org/10.1145/3385412.3385970

  7. Chen, H., Shapiro, J.S.: Using build-integrated static checking to preserve correctness invariants. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, Washington, DC, USA, 25–29 October 2004, pp. 288–297. ACM (2004). https://doi.org/10.1145/1030083.1030122

  8. Costanzo, D., Shao, Z., Gu, R.: End-to-end verification of information-flow security for C and assembly programs. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 648–664 (2016)

    Google Scholar 

  9. Daum, M., Billing, N., Klein, G.: Concerned with the unprivileged: user programs in kernel refinement. Formal Aspects Comput. 26(6), 1205–1229 (2014). https://trustworthy.systems/publications/nicta_full_text/7114.pdf

  10. Dennis, J.B., Van Horn, E.C.: Programming semantics for multiprogrammed computations. Commun. ACM 9, 143–155 (1966)

    Article  MATH  Google Scholar 

  11. Ge, Q., Yarom, Y., Chothia, T., Heiser, G.: Time protection: the missing OS abstraction. In: EuroSys Conference. ACM, Dresden (2019). https://trustworthy.systems/publications/full_text/Ge_YCH_19.pdf

  12. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8, 1–27 (2018). https://trustworthy.systems/publications/full_text/Ge_YCH_18.pdf

  13. Ge, Q., Yarom, Y., Heiser, G.: No security without time protection: we need a new hardware-software contract. In: Asia-Pacific Workshop on Systems (APSys). ACM SIGOPS, Korea (2018). https://trustworthy.systems/publications/full_text/Ge_YH_18.pdf

  14. Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 490–505. IEEE, Oakland (2011)

    Google Scholar 

  15. Heiser, G., Klein, G., Murray, T.: Can we prove time protection? In: Workshop on Hot Topics in Operating Systems (HotOS), pp. 23–29. ACM, Bertinoro (2019). https://trustworthy.systems/publications/full_text/Heiser_KM_19.pdf

  16. Heiser, G., Murray, T., Klein, G.: Towards provable timing-channel prevention. ACM Oper. Syst. Rev. 54, 1–7 (2020). https://trustworthy.systems/publications/full_text/Heiser_MK_20.pdf

  17. Kessler, R.E., Hill, M.D.: Page placement algorithms for large real-indexed caches. ACM Trans. Comput. Syst. 10, 338–359 (1992)

    Article  Google Scholar 

  18. Kim, T., Peinado, M., Mainar-Ruiz, G.: StealthMem: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium, pp. 189–204. USENIX, Bellevue (2012)

    Google Scholar 

  19. Klein, G., et al.: seL4: Formal verification of an OS kernel. In: ACM Symposium on Operating Systems Principles, pp. 207–220. ACM, Big Sky (2009). https://trustworthy.systems/publications/nicta_full_text/1852.pdf

  20. Kocher, P., et al.: Spectre attacks: exploiting speculative execution [abridged version]. Commun. ACM 63, 93–101 (2020)

    Article  Google Scholar 

  21. Li, S.W., Li, X., Gu, R., Nieh, J., Hui, J.Z.: A secure and formally verified Linux KVM hypervisor. In: IEEE Security and Privacy (2021)

    Google Scholar 

  22. Liedtke, J., Härtig, H., Hohmuth, M.: OS-controlled cache predictability for real-time systems. In: IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), pp. 213–223. IEEE, Montreal (1997)

    Google Scholar 

  23. Liu, M., et al.: Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation. Proc. ACM Program. Lang. 4(POPL), 1–31 (2019)

    Google Scholar 

  24. Murray, T., et al.: seL4: from general purpose to a proof of information flow enforcement. In: IEEE Symposium on Security and Privacy, pp. 415–429. IEEE, San Francisco (2013). https://trustworthy.systems/publications/nicta_full_text/6464.pdf

  25. Murray, T., Matichuk, D., Brassil, M., Gammie, P., Klein, G.: Noninterference for operating system kernels. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 126–142. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35308-6_12, https://trustworthy.systems/publications/nicta_full_text/6004.pdf

  26. Nipkow, T., Paulson, L., Wenzel, M.: Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Science, vol. 2283. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45949-9

    Book  MATH  Google Scholar 

  27. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  28. Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005). http://css.csail.mit.edu/6.858/2014/readings/ht-cache.pdf

  29. seL4 microkernel code and proofs. https://github.com/seL4/

  30. Sewell, T., Kam, F., Heiser, G.: Complete, high-assurance determination of loop bounds and infeasible paths for WCET analysis. In: IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Vienna, Austria (2016). https://trustworthy.systems/publications/nicta_full_text/9118.pdf

  31. Sewell, T., Kam, F., Heiser, G.: High-assurance timing analysis for a high-assurance real-time OS. Real-Time Syst. 53, 812–853 (2017). https://trustworthy.systems/publications/full_text/Sewell_KH_17.pdf

  32. Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22863-6_24, https://trustworthy.systems/publications/nicta_full_text/4709.pdf

  33. Sun, J., Long, X., Zhao, Y.: A verified capability-based model for information flow security with dynamic policies. IEEE Access 6, 16395–16407 (2018)

    Article  Google Scholar 

  34. Wistoff, N., Schneider, M., Gürkaynak, F., Benini, L., Heiser, G.: Microarchitectural timing channels and their prevention on an open-source 64-bit RISC-V core. In: Design, Automation and Test in Europe (DATE). IEEE, Virtual (2021). https://trustworthy.systems/publications/full_text/Wistoff_SGBH_21.pdf

  35. Wistoff, N., Schneider, M., Gürkaynak, F., Heiser, G., Benini, L.: Systematic prevention of on-core timing channels by full temporal partitioning. IEEE Trans. Comput. (2023, to appear). https://trustworthy.systems/publications/papers/Wistoff_SGHB_23.pdf

  36. Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium, pp. 719–732. USENIX, San Diego (2014)

    Google Scholar 

Download references

Acknowledgements

We thank our anonymous reviewers, as well as Johannes Åman Pohjola for his feedback on our manuscript. This paper describes research that was co-funded by the Australian Research Council (ARC Project ID DP190103743).

Author information

Authors and Affiliations

  1. The University of Melbourne, Melbourne, Australia

    Robert Sison & Toby Murray

  2. UNSW Sydney, Sydney, Australia

    Robert Sison, Scott Buckley, Gerwin Klein & Gernot Heiser

  3. Proofcraft, Sydney, Australia

    Gerwin Klein

Authors
  1. Robert Sison
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Scott Buckley
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Toby Murray
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gerwin Klein
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gernot Heiser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Robert Sison .

Editor information

Editors and Affiliations

  1. University of Toronto, Toronto, ON, Canada

    Marsha Chechik

  2. RWTH Aachen University, Aachen, Germany

    Joost-Pieter Katoen

  3. University of Lübeck, Lübeck, Germany

    Martin Leucker

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sison, R., Buckley, S., Murray, T., Klein, G., Heiser, G. (2023). Formalising the Prevention of Microarchitectural Timing Channels by Operating Systems. In: Chechik, M., Katoen, JP., Leucker, M. (eds) Formal Methods. FM 2023. Lecture Notes in Computer Science, vol 14000. Springer, Cham. https://doi.org/10.1007/978-3-031-27481-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-27481-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-27480-0

  • Online ISBN: 978-3-031-27481-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics