Skip to main content
SpringerLink
Log in

Information-flow control on ARM and POWER multicore processors

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Weak memory models implemented on modern multicore processors are known to affect the correctness of concurrent code. They can also affect whether or not the concurrent code is secure. This is particularly the case in programs where the security levels of variables are value-dependent, i.e., depend on the values of other variables. In this paper, we illustrate how instruction reordering allowed by ARM and POWER multicore processors leads to vulnerabilities in such programs, and present a compositional, flow-sensitive information-flow logic which can be used to detect such vulnerabilities. The logic allows step-local reasoning (one instruction at a time) about a thread’s security by tracking information about dependencies between instructions which guarantee their order of occurrence. Program security can then be established from individual thread security using rely/guarantee reasoning. The logic has been proved sound with respect to existing operational semantics using Isabelle/HOL, and implemented in an automatic symbolic execution tool.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. We will refer to this revised version as simply ARMv8 in the remainder of this paper.

  2. \( \mathcal {L} (x)\) is denoted \( \mathcal {L} {\textsf {type}}\ x\) in [29]. It actually denotes a set of predicates; here we simplify our presentation by referring to the conjunction of that set’s elements.

  3. Again P in [29] is a set of predicates and we simplify our presentation by referring to the conjunction of that set’s elements.

  4. We use snd S to denote the second element of pair S. Similarly, we will use fst S to denote the first element.

References

  1. Alglave J, Maranget L, Tautschnig M (2014) Herding cats: Modelling, simulation, testing, and data mining for weak memory. ACM Trans Program Lang Syst 36(2):7:1-7:74. https://doi.org/10.1145/2627752

    Article  Google Scholar 

  2. Almeida JB, Barbosa M, Barthe G, Dupressoir F, Emmi M (2016) Verifying constant-time implementations. In: Holz T, Savage S (eds) 25th USENIX Security Symposium, USENIX Security 16, pp 53–70. USENIX Association. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida

  3. Barthe G, Blazy S, Grégoire B, Hutin R, Laporte V, Pichardie D, Trieu A (2020) Formal verification of a constant-time preserving C compiler. Proc ACM Program Lang (PACMPL) 4(POPL):7:1-7:30. https://doi.org/10.1145/3371075

    Article  Google Scholar 

  4. Boehm H (2012) Can seqlocks get along with programming language memory models? In: Zhang L, Mutlu O (eds.) Proceedings of the 2012 ACM SIGPLAN workshop on Memory Systems Performance and Correctness: held in conjunction with PLDI ’12, pp 12–20. ACM. doi: https://doi.org/10.1145/2247684.2247688

  5. Casinghino C, Paasch JT, Roux C, Altidor J, Dixon M, Jamner D (2019) Using binary analysis frameworks: The case for BAP and angr. In: Badger JM, Rozier KY (eds) NASA Formal Methods—11th International Symposium, NFM 2019, Lecture Notes in Computer Science, vol. 11460, pp 123–129. Springer, Berlin. https://doi.org/10.1007/978-3-030-20652-9_8

  6. Chandy KM, Misra J (1981) Asynchronous distributed simulation via a sequence of parallel computations. Commun ACM 24(4):198–206. https://doi.org/10.1145/358598.358613

    Article  MathSciNet  Google Scholar 

  7. Chase D, Lev Y (2005) Dynamic circular work-stealing deque. In: ACM symposium on parallelism in algorithms and architectures (SPAA’05), pp 21–28. ACM Press, New York. https://doi.org/10.1145/1073970.1073974

  8. Colvin RJ, Smith G (2018) A high-level operational semantics for hardware weak memory models. CoRR abs/1812.00996

  9. Colvin RJ, Smith G (2018) A wide-spectrum language for verification of programs on weak memory models. In: Havelund K, Peleska J, Roscoe B, de Vink EP (eds.) Formal Methods—22nd International Symposium, FM 2018, Lecture Notes in Computer Science, vol. 10951, pp 240–257. Springer. https://doi.org/10.1007/978-3-319-95582-7_14

  10. Coughlin N, Smith G (2020) Rely/guarantee reasoning for noninterference in non-blocking algorithms. In: 33rd IEEE Computer Security Foundations Symposium, CSF 2020, pp 380–394. IEEE. doi: https://doi.org/10.1109/CSF49147.2020.00034

  11. D’Silva V, Payer M, Song DX, (2015) The correctness-security gap in compiler optimization. In (2015) IEEE Symposium on Security and Privacy Workshops, SPW 2015, pp 73–87. IEEE Computer Society. https://doi.org/10.1109/SPW.2015.33

  12. Ernst G, Murray T (2019) SecCSL: Security concurrent separation logic. In: Dillig I, Tasiran S (eds) Computer Aided Verification—31st International Conference, CAV 2019, Proceedings, Part II, Lecture Notes in Computer Science, vol. 11562, pp 208–230. Springer, Berlin. https://doi.org/10.1007/978-3-030-25543-5_13

  13. Fitzpatrick J (2011) An interview with Steve Furber. Commun ACM 54(5):34–39. https://doi.org/10.1145/1941487.1941501

    Article  Google Scholar 

  14. Flur S, Gray KE, Pulte C, Sarkar S, Sezgin A, Maranget L, Deacon W, Sewell P (2016) Modelling the ARMv8 architecture, operationally: Concurrency and ISA. In: Bodík R, Majumdar R (eds) Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, pp 608–621. ACM. https://doi.org/10.1145/2837614.2837615

  15. Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10):576–580. https://doi.org/10.1145/363235.363259

    Article  MATH  Google Scholar 

  16. Jones CB (1983) Specification and design of (parallel) programs. In: Proceedings of IFIP’83, pp 321–332. North-Holland

  17. Kang J, Hur C, Lahav O, Vafeiadis V, Dreyer D (2017) A promising semantics for relaxed-memory concurrency. In: Castagna G, Gordon AD (eds) Proceedings of the 44th ACM SIGPLAN symposium on principles of programming languages, POPL 2017, pp 175–189. ACM. http://dl.acm.org/citation.cfm?id=3009850

  18. Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: Exploiting speculative execution. CoRR abs/1801.01203. http://arxiv.org/abs/1801.01203

  19. Lê N, Pop A, Cohen A, Zappa Nardelli F (2013) Correct and efficient work-stealing for weak memory models. In: Principles and Practice of Parallel Programming (PPoPP’13), pp 69–80. ACM. doi: https://doi.org/10.1145/2442516.2442524

  20. Leroy X, Blazy S, Kästner D, Schommer B, Pister M, Ferdinand C (2016) CompCert—a formally verified optimizing compiler. In: ERTS 2016: Embedded Real Time Software and Systems, 8th European Congress. SEE. https://hal.inria.fr/hal-01238879

  21. Lourenço L, Caires L (2015) Dependent information flow types. In: Rajamani SK, Walker D (eds.) Proceedings of the 42nd annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL 2015, pp 317–328. ACM. https://doi.org/10.1145/2676726.2676994

  22. Mantel H, Perner M, Sauer J (2014) Noninterference under weak memory models. In: IEEE 27th computer security foundations symposium, CSF 2014, pp 80–94. IEEE Computer Society. https://doi.org/10.1109/CSF.2014.14

  23. Mantel H, Sands D, Sudbrock H (2011) Assumptions and guarantees for compositional noninterference. In: Proceedings of the 24th IEEE computer security foundations symposium, CSF 2011, pp 218–232. IEEE Computer Society. https://doi.org/10.1109/CSF.2011.22

  24. Moir M, Shavit N (2004) Concurrent data structures. In: Mehta DP, Sahni S (eds) Handbook of data structures and applications. Chapman and Hall/CRC, Boca Raton. https://doi.org/10.1201/9781420035179.ch47

  25. Molnar D, Piotrowski M, Schultz D, Wagner DA (2005) The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won D, Kim S (eds.) Information security and cryptology - ICISC 2005, 8th international conference, lecture notes in computer science, vol. 3935, pp 156–168. Springer, Berlin. https://doi.org/10.1007/11734727_14

  26. de Moura LM, Bjørner N (2008) Z3: an efficient SMT solver. In: Ramakrishnan CR, Rehof J (eds.) Tools and algorithms for the construction and analysis of systems, 14th International conference, TACAS 2008, Held as part of the joint european conferences on theory and practice of software, ETAPS 2008. Proceedings, Lecture Notes in Computer Science, vol. 4963, pp. 337–340. Springer, Berlin. https://doi.org/10.1007/978-3-540-78800-3_24

  27. Murray TC (2015) Short paper: On high-assurance information-flow-secure programming languages. In: Clarkson M, Jia L (eds.) Proceedings of the 10th ACM workshop on programming languages and analysis for security, PLAS@ECOOP 2015, pp 43–48. ACM. https://doi.org/10.1145/2786558.2786561

  28. Murray TC, Sison R, Engelhardt K, (2018) C overn: A logic for compositional verification of information flow control. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, pp 16–30. IEEE. https://doi.org/10.1109/EuroSP.2018.00010

  29. Murray TC, Sison R, Pierzchalski E, Rizkallah C (2016) Compositional verification and refinement of concurrent value-dependent noninterference. In: IEEE 29th computer security foundations symposium, CSF, pp 417–431. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.36

  30. Nipkow T, Paulson LC, Wenzel M (2002) Isabelle/HOL—A proof assistant for higher-order logic. lecture notes in computer science, vol. 2283. Springer, Berlin. https://doi.org/10.1007/3-540-45949-9

  31. Pulte C, Flur S, Deacon W, French J, Sarkar S, Sewell P (2018) Simplifying ARM concurrency: multicopy-atomic axiomatic and operational models for ARMv8. Proceedings of the ACM on programming languages (PACMPL) 2(POPL):19:1-19:29. https://doi.org/10.1145/3158107

  32. Sabelfeld A, Myers AC (2003) Language-based information-flow security. IEEE J Sel Areas Commun 21(1):5–19. https://doi.org/10.1109/JSAC.2002.806121

    Article  Google Scholar 

  33. Sarkar S, Sewell P, Alglave J, Maranget L, Williams D (2011) Understanding POWER multiprocessors. In: Hall MW, Padua DA (eds.) Proceedings of the 32nd ACM SIGPLAN conference on programming language design and implementation, PLDI 2011, pp 175–186. ACM. https://doi.org/10.1145/1993498.1993520

  34. Schoepe D, Murray T, Sabelfeld A (2020) Veronica: Expressive and precise concurrent information flow security. In: IEEE Computer Security Foundations Symposium (CSF), pp 79–94

  35. Sewell P, Sarkar S, Owens S, Nardelli FZ, Myreen MO (2010) x86-TSO: a rigorous and usable programmers model for x86 multiprocessors. Commun ACM 53(7):89–97. https://doi.org/10.1145/1785414.1785443

    Article  Google Scholar 

  36. Sison R, Murray T (2019) Verifying that a compiler preserves concurrent value-dependent information-flow security. In: Harrison J, O’Leary J, Tolmach A (eds.) International conference on interactive theorem proving (ITP 2019), Leibniz international proceedings in informatics, vol. 141, pp 27:1–27:19. Schloss Dagstuhl-Leibniz-Zentrum für Informatik

  37. Smith G, Coughlin N, Murray T (2019) Value-dependent information-flow security on weak memory models. In: ter Beek MH, McIver A, Oliveira JN (eds) Formal Methods—The Next 30 Years—Third World Congress, FM 2019, Lecture Notes in Computer Science, vol 11800, pp 539–555. Springer, Berlin. https://doi.org/10.1007/978-3-030-30942-8_32

  38. Tan YK, Myreen MO, Kumar R, Fox ACJ, Owens S, Norrish M (2019) The verified CakeML compiler backend. J. Funct. Program. 29:e2. https://doi.org/10.1017/S0956796818000229

    Article  MathSciNet  MATH  Google Scholar 

  39. Vaughan JA, Millstein TD (2012) Secure information flow for concurrent programs under Total Store Order. In: Chong S (ed.) 25th IEEE Computer Security Foundations Symposium, CSF 2012, pp 19–29. IEEE Computer Society. doi: https://doi.org/10.1109/CSF.2012.20

  40. Zheng L, Myers AC (2007) Dynamic security labels and static information flow control. Int. J. Inf. Sec. 6(2–3):67–84. https://doi.org/10.1007/s10207-007-0019-9

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by Australian Research Council Discovery Grant DP160102457, and a combination of Next Generation Technologies Fund (NGTF) and Strategic Research Initiative (SRI) funding from the Defence Science and Technology Group, Australia. Thanks to Liam Kent for implementing the symbolic execution tool.

Author information

Authors and Affiliations

  1. Defence Science and Technology Group, Brisbane, Australia

    Graeme Smith

  2. School of Information Technology and Electrical Engineering, The University of Queensland, Brisbane, Australia

    Graeme Smith & Nicholas Coughlin

  3. School of Computing and Information Systems, The University of Melbourne, Melbourne, Australia

    Toby Murray

Authors
  1. Graeme Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicholas Coughlin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Toby Murray
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Graeme Smith.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Smith, G., Coughlin, N. & Murray, T. Information-flow control on ARM and POWER multicore processors. Form Methods Syst Des 58, 251–293 (2021). https://doi.org/10.1007/s10703-021-00376-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-021-00376-2

Keywords

Search

Navigation